Recommended action
Block this updateStatic evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["@myoc/[email protected]"],"fail_on":"high"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["@myoc/[email protected]"],"fail_on":"high"}'Why flagged
What the scanner saw
Remote Payload: matched "raw.githubusercontent.com"
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk high · score 1569 · status changed
Related candidates
Linked campaigns and clusters
fengsight
2 members · evidence strength 64Evidence
Static findings
217 static · 0 from release diff · showing high-signal first.
Showing 30 of 102 findings.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Remote Payload | package/dist/prod/index.js | matched "raw.githubusercontent.com" | 12 |
| medium | Obfuscation Density | package/dist/prod/index.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/dev/locales/ar-SA-U3PIVEZH.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/dev/locales/az-AZ-COAM4HVM.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/dev/locales/bg-BG-D6B2W7JL.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/dev/locales/bn-BD-BU7GZAZW.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/dev/locales/bn-IN-MYKDEVNA.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/dev/locales/ca-ES-GEEW5L7T.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/dev/locales/cs-CZ-LNVE3QM5.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/dev/locales/de-CH-GCXOD4LK.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/dev/locales/de-DE-CGDBECYD.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/dev/locales/el-GR-G5QZC24A.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/dev/locales/es-ES-UMEOH76W.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/dev/locales/fa-IR-QOYVIIJA.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/dev/locales/fi-FI-BXRW65OA.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/dev/locales/fr-FR-R2QH5VCW.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/dev/locales/gl-ES-4ES3ZADP.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/dev/locales/he-IL-TRQRRYPH.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/dev/locales/hi-IN-U46BOJEC.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/dev/locales/hu-HU-JDULJ6XL.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/dev/locales/ja-JP-6HYAQFYX.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/dev/locales/kaa-Z5UP62XJ.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/dev/locales/kab-KAB-Z7STWQKS.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/dev/locales/kk-KZ-BWHY45DX.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/dev/locales/km-KH-HGLNWNRU.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/dev/locales/ko-KR-CO36WKPC.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/dev/locales/ku-TR-AACVIARC.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/dev/locales/lt-LT-CFYYFLDV.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/dev/locales/lv-LV-QCBBOFFU.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/dev/locales/mr-IN-B2CM5GK5.js | high encoded/escaped-token density | 12 |
Show all 217 findings (low-signal and informational)
Showing 60 of 217 findings.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Remote Payload | package/dist/prod/index.js | matched "raw.githubusercontent.com" | 12 |
| medium | Obfuscation Density | package/dist/prod/index.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/dev/locales/ar-SA-U3PIVEZH.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/dev/locales/az-AZ-COAM4HVM.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/dev/locales/bg-BG-D6B2W7JL.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/dev/locales/bn-BD-BU7GZAZW.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/dev/locales/bn-IN-MYKDEVNA.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/dev/locales/ca-ES-GEEW5L7T.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/dev/locales/cs-CZ-LNVE3QM5.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/dev/locales/de-CH-GCXOD4LK.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/dev/locales/de-DE-CGDBECYD.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/dev/locales/el-GR-G5QZC24A.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/dev/locales/es-ES-UMEOH76W.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/dev/locales/fa-IR-QOYVIIJA.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/dev/locales/fi-FI-BXRW65OA.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/dev/locales/fr-FR-R2QH5VCW.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/dev/locales/gl-ES-4ES3ZADP.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/dev/locales/he-IL-TRQRRYPH.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/dev/locales/hi-IN-U46BOJEC.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/dev/locales/hu-HU-JDULJ6XL.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/dev/locales/ja-JP-6HYAQFYX.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/dev/locales/kaa-Z5UP62XJ.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/dev/locales/kab-KAB-Z7STWQKS.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/dev/locales/kk-KZ-BWHY45DX.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/dev/locales/km-KH-HGLNWNRU.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/dev/locales/ko-KR-CO36WKPC.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/dev/locales/ku-TR-AACVIARC.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/dev/locales/lt-LT-CFYYFLDV.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/dev/locales/lv-LV-QCBBOFFU.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/dev/locales/mr-IN-B2CM5GK5.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/dev/locales/my-MM-756BNN36.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/dev/locales/nb-NO-5BLHQI4J.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/dev/locales/nn-NO-4J7MR6GH.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/dev/locales/oc-FR-XCETH7KF.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/dev/locales/pa-IN-32NBAN5L.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/dev/locales/pl-PL-R6OJ54BT.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/dev/locales/pt-BR-7AFGAKGR.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/dev/locales/pt-PT-S6BMW6MY.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/dev/locales/ro-RO-4JVGQHS2.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/dev/locales/ru-RU-IESI752T.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/dev/locales/si-LK-H75E7PKD.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/dev/locales/sk-SK-EUK2NR2F.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/dev/locales/sl-SI-AKW7R5PW.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/dev/locales/sv-SE-QIBOOXLJ.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/dev/locales/ta-IN-LBK2NQ5K.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/dev/locales/th-TH-YJ2E6GVT.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/dev/locales/tr-TR-Y5GO2XJW.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/dev/locales/uk-UA-XYAFHHJW.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/dev/locales/vi-VN-WDPZEUOJ.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/dev/locales/zh-CN-SZ37453H.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/dev/locales/zh-HK-QDQ5QNBC.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/dev/locales/zh-TW-CYU6GFBV.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/prod/locales/ar-SA-TS6M4GHP.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/prod/locales/az-AZ-HJWG4CPD.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/prod/locales/bg-BG-K42QREUV.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/prod/locales/bn-BD-IFEECH4W.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/prod/locales/bn-IN-OE7SKNFR.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/prod/locales/ca-ES-MKBCGNOG.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/prod/locales/cs-CZ-V77HGUP7.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/prod/locales/de-CH-WLRDEVBV.js | high encoded/escaped-token density | 12 |
Manifest
Package metadata
Scripts4
build:esmrimraf dist && node ../../scripts/buildPackage.js && yarn gen:typesclearDistrimraf distgen:typesrimraf types && tscreleaseyarn build:esm && yarn publish
Dependencies31
@braintree/sanitize-url6.0.2@excalidraw/commonnpm:@myoc/[email protected]@excalidraw/elementnpm:@myoc/[email protected]@excalidraw/laser-pointer1.3.1@excalidraw/mathnpm:@myoc/[email protected]@excalidraw/random-username1.1.0@lezer/highlight^1.0.0browser-fs-access0.38.0canvas-roundrect-polyfill0.0.1clsx1.1.1cross-env7.0.3es6-promise-pool2.5.0fuzzy0.1.3image-blob-reduce3.0.1jotai2.11.0jotai-scope0.7.2lodash.debounce4.0.8lodash.throttle4.1.1nanoid3.3.3pako2.0.3perfect-freehand1.2.0pica7.1.1png-chunk-text1.0.0png-chunks-encode1.0.0png-chunks-extract1.0.0points-on-curve1.0.1pwacompat2.0.17radix-ui1.4.3roughjs4.6.4sass1.51.0- …and 1 more.