PkgRadar

Package evidence

@lordbex/[email protected]

Remote Dependency Spec: dependencies.irc-framework="https://codeload.github.com/kiwiirc/irc-framework/tar.gz/9578e59a1056499e4a03a0f0fd2c260e9aadc541"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
10
Versions published
13Established · −30% score
First published
Sep 2025
Publisher
GitHub ActionsTrusted automation · −70% score

Effective trust discount applied: 70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@lordbex/[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@lordbex/[email protected]"],"fail_on":"high"}'
PublisherGitHub Actions
Artifact bytes6,193,808
Previous version4.8.1
Published2026-04-24T20:21:07.134Z
SHA-256addfbce3d46a456e64bbe290f9c467cf9dd002b89784ea15c79d4152b58a6afa

Why flagged

What the scanner saw

Remote Dependency Spec: dependencies.irc-framework="https://codeload.github.com/kiwiirc/irc-framework/tar.gz/9578e59a1056499e4a03a0f0fd2c260e9aadc541"

1 remote tarball(s) were followed statically.

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

high
Last checked
highRisk
24Score
4.8.5Version
Status history (1 event)
  1. newavailable · risk high · score 24 · status changed

Evidence

Static findings

1 static · 1 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
highRemote Dependency Specpackage.jsondependencies.irc-framework="https://codeload.github.com/kiwiirc/irc-framework/tar.gz/9578e59a1056499e4a03a0f0fd2c260e9aadc541"12
highDependency Changed To Remote Vs Previouspackage.jsondependencies.irc-framework changed to remote spec in 4.8.5 vs 4.8.1: "https://codeload.github.com/kiwiirc/irc-framework/tar.gz/9578e59a1056499e4a03a0f0fd2c260e9aadc541"12

Remote payloads

Followed remote artifacts

SourceURLRiskScoreSummary
dependencies.irc-frameworkhttps://codeload.github.com/kiwiirc/irc-framework/tar.gz/9578e59a1056499e4a03a0f0fd2c260e9aadc541low0no remote findings

Manifest

Package metadata

Scripts17
  • buildrun-p --aggregate-output build:client build:server
  • build:clientwebpack
  • build:servertsc --build server/tsconfig.json
  • coveragerun-s test:mocha test:nospec && nyc --nycrc-path=test/.nycrc-report.json report
  • devcross-env NODE_ENV=development tsx server/index.ts start --dev
  • format:prettierprettier --write "**/*.*"
  • generate:config:docts-node scripts/generate-config-doc.js
  • githooks-installgit config core.hooksPath scripts/git-hooks
  • lintrun-p --aggregate-output --continue-on-error lint:eslint lint:prettier lint:stylelint
  • lint:eslinteslint . --report-unused-disable-directives --color
  • lint:prettierprettier --list-different "**/*.*"
  • lint:stylelintstylelint --color "client/**/*.css"
  • startnode index start
  • testrun-p --aggregate-output --continue-on-error lint:eslint lint:prettier lint:stylelint test:mocha
  • test:mochawebpack --mode=production && cross-env NODE_ENV=test NODE_OPTIONS="--import tsx/esm" mocha --config=test/.mocharc.yml 'test/**/*.ts'
  • test:nospecwebpack --mode=production && cross-env NODE_ENV=test NODE_OPTIONS="--import tsx/esm" mocha --config=test/.mocharc.yml
  • watchwebpack --watch
Dependencies27
  • @fastify/busboy3.2.0
  • @zip.js/zip.js^2.8.16
  • basic-ftp5.0.5
  • bcryptjs3.0.3
  • chalk5.6.2
  • cheerio1.1.2
  • commander14.0.2
  • content-disposition0.5.4
  • express5.1.0
  • file-type21.1.0
  • filenamify7.0.1
  • irc-frameworkhttps://codeload.github.com/kiwiirc/irc-framework/tar.gz/9578e59a1056499e4a03a0f0fd2c260e9aadc541
  • ldapts8.0.9
  • linkify-it5.0.0
  • lodash4.17.23
  • mime-types3.0.1
  • node-forge1.3.3
  • package-json10.0.1
  • read5.0.1
  • read-chunk5.0.0
  • semver7.7.3
  • socket.io4.8.1
  • tlds1.261.0
  • ua-parser-js2.0.6
  • undici7.22.0
  • uuid13.0.0
  • web-push3.6.7
Optional dependencies1
  • better-sqlite312.4.1