PkgRadar

Package evidence

@magmacomputing/[email protected]

Obfuscation Density: high encoded/escaped-token density

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
365
Versions published
34
First published
Mar 2026
Publisher
magmacomputing

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@magmacomputing/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@magmacomputing/[email protected]"],"fail_on":"review"}'
Publishermagmacomputing
Artifact bytes322,714
Previous version2.11.1
Published2026-05-27T03:05:55.057Z
SHA-2561200309b26bacdcb5ddbba015dfdfddfd81869dd78a7d99bcfe3f3a85e7224aa

Why flagged

What the scanner saw

Obfuscation Density: high encoded/escaped-token density

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
12Score
2.11.2Version
Status history (1 event)
  1. newavailable · risk review · score 12 · status changed

Evidence

Static findings

1 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
mediumObfuscation Densitypackage/dist/support/support.license.jshigh encoded/escaped-token density12

Manifest

Package metadata

Scripts20
  • buildnpm run clean && tsc -b && npm run build:bundle && npm run build:resolve
  • build:bundlerollup -c
  • build:resolvetsx bin/resolve-types.ts
  • cleanrm -rf dist && (tsc -b --clean || true)
  • docs:apitypedoc
  • docs:buildnpm run build && npm run docs:api && vitepress build
  • docs:devnpm run build && npm run docs:api && vitepress dev
  • docs:previewvitepress preview
  • parsecross-env TEMPO_LITE=true tsx --conditions=development -i --harmony-temporal --import ./bin/parse.ts
  • prepublishOnlyif [ $(git rev-parse --abbrev-ref HEAD) != main ]; then echo 'ERROR: Must be on main branch to publish.'; exit 1; fi && if [ -z "$TEMPO_LICENSE_PATH" ] || [ ! -f "$TEMPO_LICENSE_PATH" ]; then echo '🚨 ERROR: TEMPO_LICENSE_PATH is missing or invalid. Cannot publish Premium build.'; exit 1; fi && npm run build
  • publishnpm publish --access public
  • repltsx --conditions=development -i --import ./bin/temporal-polyfill.ts --import ./bin/repl.ts
  • repl:baretsx --conditions=development -i --harmony-temporal
  • repl:corecross-env TEMPO_LITE=true tsx --conditions=development -i --harmony-temporal --import ./bin/core.ts
  • repl:disttsx -i --import ./bin/temporal-polyfill.ts --import ./bin/repl.ts
  • repl:nodetsx --conditions=development -i --harmony-temporal --import ./bin/repl.ts
  • testvitest run
  • test:cicross-env TZ=America/New_York LANG=en_US.UTF-8 LC_ALL=en_US.UTF-8 vitest run
  • test:ci:prefiltercross-env TZ=America/New_York LANG=en_US.UTF-8 LC_ALL=en_US.UTF-8 TEMPO_PREFILTER_CI=true vitest run
  • test:distcross-env TEST_DIST=true vitest run
Dependencies1
  • tslib^2.8.1