PkgRadar

Package evidence

@nstep_/[email protected]

Suspicious Publish Context: {"package_age_days":2,"publisher":"nstep_","burst_same_day":1,"burst_week":1,"lure":null,"version_anomaly":false,"new_account":true}

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published
4
First published
Jun 2026
Publisher
nstep_

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@nstep_/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@nstep_/[email protected]"],"fail_on":"review"}'
Publishernstep_
Artifact bytes1,278,377
Previous version0.2.1
Published2026-06-20T13:50:22.051Z
SHA-2566aaf849e67bdd84822892cb58cf7ced9870141d34e0237c7c8690b34bc705e1a

Why flagged

What the scanner saw

Suspicious Publish Context: {"package_age_days":2,"publisher":"nstep_","burst_same_day":1,"burst_week":1,"lure":null,"version_anomaly":false,"new_account":true}

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
10Score
0.2.2Version
Status history (1 event)
  1. newavailable · risk review · score 10 · status changed

Evidence

Static findings

1 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
mediumSuspicious Publish Contextmanifest{"package_age_days":2,"publisher":"nstep_","burst_same_day":1,"burst_week":1,"lure":null,"version_anomaly":false,"new_account":true}10

Manifest

Package metadata

Scripts23
  • buildpnpm run clean && tsc && pnpm run copy-templates
  • cleannode -e "require('node:fs').rmSync('dist', { recursive: true, force: true })"
  • copy-templatesnode scripts/copy-templates.js
  • devtsc --watch
  • formatprettier --write src/
  • format:checkprettier --check src/
  • linteslint src/ test/
  • lint:allpnpm lint && pnpm lint:py
  • lint:fixeslint src/ test/ --fix
  • lint:pybasedpyright
  • manifestnode scripts/create-manifest.js
  • prepublishOnlypnpm test && pnpm run build && cp ../../README.md ../../LICENSE . && cp -r ../../assets .
  • releasenode scripts/check-manifest-continuity.js && pnpm test && git add -A -- ':!docs-site' && (git diff-index --quiet HEAD || git commit -m 'chore: pre-release updates') && pnpm version --no-git-tag-version patch && V=$(node -p "require('./package.json').version") && git add package.json && git commit -m "$V" && git tag "v$V" && git push origin master --tags
  • release:betanode scripts/check-manifest-continuity.js && node scripts/check-docs-changelog.js --type beta && pnpm test && git add -A -- ':!docs-site' && (git diff-index --quiet HEAD || git commit -m 'chore: pre-release updates') && pnpm version --no-git-tag-version prerelease --preid beta && V=$(node -p "require('./package.json').version") && git add package.json && git commit -m "$V" && git tag "v$V" && git push origin HEAD --tags
  • release:majornode scripts/check-manifest-continuity.js && pnpm test && git add -A -- ':!docs-site' && (git diff-index --quiet HEAD || git commit -m 'chore: pre-release updates') && pnpm version --no-git-tag-version major && V=$(node -p "require('./package.json').version") && git add package.json && git commit -m "$V" && git tag "v$V" && git push origin master --tags
  • release:minornode scripts/check-manifest-continuity.js && pnpm test && git add -A -- ':!docs-site' && (git diff-index --quiet HEAD || git commit -m 'chore: pre-release updates') && pnpm version --no-git-tag-version minor && V=$(node -p "require('./package.json').version") && git add package.json && git commit -m "$V" && git tag "v$V" && git push origin master --tags
  • release:promotenode scripts/check-manifest-continuity.js && node scripts/check-docs-changelog.js --type promote && pnpm test && git add -A -- ':!docs-site' && (git diff-index --quiet HEAD || git commit -m 'chore: pre-release updates') && pnpm version --no-git-tag-version "$(node -p "require('./package.json').version.replace(/-.*/, '')")" && V=$(node -p "require('./package.json').version") && git add package.json && git commit -m "$V" && git tag "v$V" && git push origin master --tags
  • release:rcnode scripts/check-manifest-continuity.js && node scripts/check-docs-changelog.js --type rc && pnpm test && git add -A -- ':!docs-site' && (git diff-index --quiet HEAD || git commit -m 'chore: pre-release updates') && pnpm version --no-git-tag-version prerelease --preid rc && V=$(node -p "require('./package.json').version") && git add package.json && git commit -m "$V" && git tag "v$V" && git push origin HEAD --tags
  • startnode ./dist/cli/index.js
  • testvitest run
  • test:coveragevitest run --coverage
  • test:watchvitest
  • typechecktsc --noEmit
Dependencies5
  • chalk^5.3.0
  • commander^12.1.0
  • figlet^1.9.4
  • inquirer^9.3.7
  • undici^6.21.0