PkgRadar

Package evidence

@kodelyth/[email protected]

Webhook Exfil Endpoint: matched "ngrok.app"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
4,545Niche · −30% score
Versions published
29
First published
May 2026
Publisher
sifxprime

Effective trust discount applied: 30% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@kodelyth/[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@kodelyth/[email protected]"],"fail_on":"high"}'
Publishersifxprime
Artifact bytes23,345,174
Previous version2026.6.9
Published2026-06-03T22:57:11.236Z
SHA-25601f0b3b926ad78afa2f62c73e6cd5af1f5c6139fb0a79837a3c505c9b85c6ce7

Why flagged

What the scanner saw

Webhook Exfil Endpoint: matched "ngrok.app"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

high
Last checked
highRisk
138Score
2026.6.10Version
Status history (1 event)
  1. newavailable · risk high · score 138 · status changed

Evidence

Static findings

21 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
highWebhook Exfil Endpointpackage/dist/dist-CwB6c7No.jsmatched "ngrok.app"40
highWebhook Exfil Endpointpackage/dist/guarded-json-api-BanksCb1.jsmatched "ngrok-free.app"40
highWebhook Exfil Endpointpackage/dist/i18n-Qqwpm2ue.jsmatched "api.telegram.org/bot"40
mediumCredential file accesspackage/dist/install-package-dir-BSfFotyu.jsmatched ".npmrc"10
mediumCredential file accesspackage/dist/npm-install-env-V8BfnzHl.jsmatched ".npmrc"10
mediumCredential file accesspackage/dist/npm-managed-root-CZeaaeAi.jsmatched ".npmrc"10
Show all 21 findings (low-signal and informational)
SeverityKindPathDetailPoints
highWebhook Exfil Endpointpackage/dist/dist-CwB6c7No.jsmatched "ngrok.app"40
highWebhook Exfil Endpointpackage/dist/guarded-json-api-BanksCb1.jsmatched "ngrok-free.app"40
highWebhook Exfil Endpointpackage/dist/i18n-Qqwpm2ue.jsmatched "api.telegram.org/bot"40
mediumCredential file accesspackage/dist/install-package-dir-BSfFotyu.jsmatched ".npmrc"10
mediumCredential file accesspackage/dist/npm-install-env-V8BfnzHl.jsmatched ".npmrc"10
mediumCredential file accesspackage/dist/npm-managed-root-CZeaaeAi.jsmatched ".npmrc"10
lowCredential file accesspackage/dist/channel.runtime-QM7CZoEX.jsmatched "AWS_ACCESS_KEY"5
lowCredential file accesspackage/dist/dist-cjs-Bf1frInF.jsmatched "AWS_ACCESS_KEY"5
lowCredential file accesspackage/dist/dist-cjs-BfWgSl1S.jsmatched "aws_access_key"5
lowCredential file accesspackage/dist/host-env-security-B05WNWEJ.jsmatched "GOOGLE_APPLICATION_CREDENTIALS"5
lowCredential file accesspackage/dist/model-auth-91ZcFuY4.jsmatched "AWS_ACCESS_KEY"5
lowCredential file accesspackage/dist/model-auth-markers-CzG51uNB.jsmatched "AWS_ACCESS_KEY"5
lowCredential file accesspackage/dist/model-auth-runtime-shared-Avg9h5VR.jsmatched "AWS_ACCESS_KEY"5
lowCredential file accesspackage/dist/provider-contract-api-wkMwEqQi.jsmatched "GOOGLE_APPLICATION_CREDENTIALS"5
lowCredential file accesspackage/dist/src-Cflsp4rJ.jsmatched "AWS_ACCESS_KEY"5
lowCredential file accesspackage/dist/ssh-config-Y_Ws0fEz.jsmatched ".ssh/"5
lowCredential file accesspackage/dist/vertex-adc-DywqPmT8.jsmatched "GOOGLE_APPLICATION_CREDENTIALS"5
lowInstall-time lifecycle scriptpackage.jsonpreinstall="node scripts/preinstall-package-manager-warning.mjs"5
lowInstall-time lifecycle scriptpackage.jsonpostinstall="node scripts/postinstall-bundled-plugins.mjs"5
lowCredential file accesspackage/dist/extensions/google/klaw.plugin.jsonmatched "GOOGLE_APPLICATION_CREDENTIALS"3
lowObfuscation Densitypackage/dist/crypto-runtime-62ZR08eh.jshigh encoded/escaped-token density0

Manifest

Package metadata

Scripts381
  • audit:seamsnode scripts/audit-seams.mjs
  • buildnode scripts/build-all.mjs
  • build:ci-artifactsnode scripts/build-all.mjs ciArtifacts
  • build:dockernode scripts/tsdown-build.mjs && node scripts/check-cli-bootstrap-imports.mjs && node scripts/runtime-postbuild.mjs && node scripts/build-stamp.mjs && node scripts/runtime-postbuild-stamp.mjs && pnpm plugins:assets:build && pnpm plugins:assets:copy && node --experimental-strip-types scripts/copy-hook-metadata.ts && node --experimental-strip-types scripts/copy-export-html-templates.ts && node --experimental-strip-types scripts/write-build-info.ts && node --experimental-strip-types scripts/write-cli-startup-metadata.ts && node --experimental-strip-types scripts/write-cli-compat.ts
  • build:plugin-sdk:dtsnode scripts/run-tsgo.mjs -p tsconfig.plugin-sdk.dts.json --declaration true
  • build:plugin-sdk:strict-smokepnpm build:plugin-sdk:dts && node --experimental-strip-types scripts/write-plugin-sdk-entry-dts.ts
  • build:strict-smokepnpm plugins:assets:build && node scripts/tsdown-build.mjs && node scripts/check-cli-bootstrap-imports.mjs && node scripts/runtime-postbuild.mjs && node scripts/build-stamp.mjs && node scripts/runtime-postbuild-stamp.mjs && pnpm build:plugin-sdk:dts && node --experimental-strip-types scripts/write-plugin-sdk-entry-dts.ts && node scripts/check-plugin-sdk-exports.mjs
  • canvas:a2ui:bundlenode scripts/bundle-a2ui.mjs
  • changed:lanesnode scripts/changed-lanes.mjs
  • checknode scripts/check.mjs
  • check:architecturepnpm check:import-cycles && pnpm check:madge-import-cycles && pnpm check:deprecated-api-usage && pnpm check:deprecated-jsdoc
  • check:base-config-schemanode --import tsx scripts/generate-base-config-schema.ts --check
  • check:bundled-channel-config-metadatanode --import tsx scripts/generate-bundled-channel-config-metadata.ts --check
  • check:changednode scripts/check-changed.mjs
  • check:changelog-attributionsnode scripts/check-changelog-attributions.mjs
  • check:deprecated-api-usagenode scripts/check-deprecated-api-usage.mjs
  • check:deprecated-jsdocnode scripts/check-deprecated-jsdoc.mjs
  • check:docspnpm format:docs:check && pnpm lint:docs && pnpm docs:check-mdx && pnpm docs:check-i18n-glossary && pnpm docs:check-links
  • check:host-env-policy:swiftnode scripts/generate-host-env-security-policy-swift.mjs --check
  • check:import-cyclesnode --import tsx scripts/check-import-cycles.ts
  • check:locnode --import tsx scripts/check-ts-max-loc.ts --max 500
  • check:madge-import-cyclesnode --import tsx scripts/check-madge-import-cycles.ts
  • check:media-download-helpersnode scripts/check-media-download-helper-roundtrip.mjs
  • check:no-conflict-markersnode scripts/check-no-conflict-markers.mjs
  • check:no-runtime-action-load-confignode scripts/check-no-runtime-action-load-config.mjs
  • check:opengrep-rule-metadatanode security/opengrep/check-rule-metadata.mjs
  • check:runtime-sidecar-loadersnode --import tsx scripts/check-runtime-sidecar-loaders.mjs
  • check:static-import-sccspnpm check:madge-import-cycles
  • check:temp-path-guardrailsnode --import tsx scripts/check-temp-path-guardrails.ts
  • check:test-typespnpm tsgo:test
  • …and 351 more.
Dependencies50
  • @agentclientprotocol/sdk0.21.1
  • @clack/core1.3.1
  • @clack/prompts1.4.0
  • @earendil-works/pi-agent-core0.75.1
  • @earendil-works/pi-ai0.75.1
  • @earendil-works/pi-coding-agent0.75.1
  • @earendil-works/pi-tui0.75.1
  • @google/genai2.3.0
  • @grammyjs/runner2.0.3
  • @grammyjs/transformer-throttler1.2.1
  • @homebridge/ciao1.3.8
  • @kodelyth/fs-safe0.2.4
  • @kodelyth/proxyline0.3.3
  • @lydell/node-pty1.2.0-beta.12
  • @modelcontextprotocol/sdk1.29.0
  • @mozilla/readability0.6.0
  • ajv8.20.0
  • chalk5.6.2
  • chokidar5.0.0
  • commander14.0.3
  • croner10.0.1
  • dotenv17.4.2
  • express5.2.1
  • file-type22.0.1
  • grammy1.42.0
  • ipaddr.js2.4.0
  • jiti2.7.0
  • json52.2.3
  • jszip3.10.1
  • kysely0.29.1
  • …and 20 more.
Optional dependencies2
  • sharp0.34.5
  • sqlite-vec0.1.9