PkgRadar

Package evidence

@mercuryworkshop/[email protected]

Install-time lifecycle script: preinstall="npx only-allow pnpm"

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@mercuryworkshop/[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@mercuryworkshop/[email protected]"],"fail_on":"high"}'
Publishercoolelectronics
Artifact bytes4,590,597
Previous version2.0.2-alpha
Published2026-05-16T20:24:58.137Z
SHA-2561d4822df8f267614c41af7c1131f0fe33b845a1440faeb85836b1f599371fa59

Why flagged

What the scanner saw

Install-time lifecycle script: preinstall="npx only-allow pnpm"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

high
Last checked
highRisk
42Score
2.0.5-alphaVersion
Status history (2 events)
  1. availableavailable · risk high · score 42 · status available -> available, risk high -> high, score 90 -> 42
  2. newavailable · risk high · score 90 · status changed

Related candidates

Linked campaigns and clusters

Repeated static TTPstale

Install-time lifecycle script — preinstall="npx only-allow pnpm"

21 members · evidence strength 90
Publisher / release actor burststale

coolelectronics

2 members · evidence strength 64

Evidence

Static findings

5 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
highInstall-time lifecycle scriptpackage.jsonpreinstall="npx only-allow pnpm"30
Show all 5 findings (low-signal and informational)
SeverityKindPathDetailPoints
highInstall-time lifecycle scriptpackage.jsonpreinstall="npx only-allow pnpm"30
lowObfuscationpackage/dist/scramjet_bundled.jsmatched "fromCharCode"3
lowObfuscationpackage/dist/scramjet.jsmatched "fromCharCode"3
lowObfuscationpackage/dist/scramjet_bundled.mjsmatched "fromCharCode"3
lowObfuscationpackage/dist/scramjet.mjsmatched "fromCharCode"3

Manifest

Package metadata

Scripts14
  • buildcd ../.. && rspack build --mode production
  • devnode server.js
  • dev:debugDEBUG=1 node server.js
  • formatprettier --write .
  • format:docsremark "docs/**/*.{md,mdx}" --output
  • linteslint ./src/
  • lint:allnpm run lint && npm run lint:workflows
  • lint:fixeslint ./src/ --fix
  • lint:workflowsactionlint .github/workflows/*.yml
  • preinstallnpx only-allow pnpm
  • pubnpm publish --no-git-checks --access public
  • rewriter:buildcd rewriter/wasm/ && bash build.sh && cd ../../
  • testnpm run test:package
  • test:packageava tests/ci/packageValidation.js
Dependencies7
  • @mercuryworkshop/proxy-transports1.0.2
  • dom-serializer^2.0.0
  • domhandler^5.0.3
  • domutils^3.2.2
  • htmlparser2^12.0.0
  • idb^8.0.3
  • parse-domain^8.2.2