PkgRadar

Package evidence

@onairos/[email protected]

Obfuscation Density: high encoded/escaped-token density

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
615
Versions published
154Mature · −50% score
First published
May 2025
Publisher
anushkajogalekar

Effective trust discount applied: 50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Looks clean — keep monitoring

No high-signal indicators in the stored static report. PkgRadar will re-check on the next ingest pass.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@onairos/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@onairos/[email protected]"],"fail_on":"review"}'
Publisheranushkajogalekar
Artifact bytes14,260,481
Previous version4.2.6
Published2026-05-16T00:41:55.932Z
SHA-2563f185bc6194198d8f9c860407425e43460e1cb368a9e984d3573ba89e2c71b34

Why flagged

What the scanner saw

Obfuscation Density: high encoded/escaped-token density

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

low
Last checked
lowRisk
0Score
4.2.7Version
Status history (1 event)
  1. newavailable · risk low · score 0 · status changed

Evidence

Static findings

27 static · 0 from release diff · showing high-signal first.

No high-signal findings — see all findings below.

Show all 27 findings (low-signal and informational)
SeverityKindPathDetailPoints
lowObfuscation Densitypackage/lib/commonjs/components/icons/Basicprofile.jshigh encoded/escaped-token density0
lowObfuscation Densitypackage/lib/commonjs/services/chatGPTConversationService.jshigh encoded/escaped-token density0
lowObfuscation Densitypackage/lib/module/services/chatGPTConversationService.jshigh encoded/escaped-token density0
lowObfuscation Densitypackage/lib/commonjs/services/connectedAccountsService.jshigh encoded/escaped-token density0
lowObfuscation Densitypackage/lib/module/services/connectedAccountsService.jshigh encoded/escaped-token density0
lowObfuscation Densitypackage/lib/commonjs/components/icons/Contentanalysis.jshigh encoded/escaped-token density0
lowObfuscation Densitypackage/lib/commonjs/components/icons/EnochE.jshigh encoded/escaped-token density0
lowObfuscation Densitypackage/lib/commonjs/utils/webviewScripts/index.jshigh encoded/escaped-token density0
lowObfuscation Densitypackage/lib/module/utils/webviewScripts/index.jshigh encoded/escaped-token density0
lowObfuscation Densitypackage/lib/commonjs/services/jwtStorageService.jshigh encoded/escaped-token density0
lowObfuscation Densitypackage/lib/module/services/jwtStorageService.jshigh encoded/escaped-token density0
lowObfuscation Densitypackage/lib/commonjs/components/onboarding/OAuthWebView.jshigh encoded/escaped-token density0
lowObfuscation Densitypackage/lib/module/components/onboarding/OAuthWebView.jshigh encoded/escaped-token density0
lowObfuscation Densitypackage/lib/commonjs/components/Onairos.jshigh encoded/escaped-token density0
lowObfuscation Densitypackage/lib/commonjs/components/icons/Personalityprofile.jshigh encoded/escaped-token density0
lowObfuscation Densitypackage/lib/commonjs/components/icons/Personalitytraits.jshigh encoded/escaped-token density0
lowObfuscation Densitypackage/lib/module/components/PinCreationScreen.jshigh encoded/escaped-token density0
lowObfuscation Densitypackage/lib/commonjs/services/platformAuthService.jshigh encoded/escaped-token density0
lowObfuscation Densitypackage/lib/module/services/platformAuthService.jshigh encoded/escaped-token density0
lowObfuscation Densitypackage/lib/commonjs/services/telegramDataService.jshigh encoded/escaped-token density0
lowObfuscation Densitypackage/lib/module/services/telegramDataService.jshigh encoded/escaped-token density0
lowObfuscation Densitypackage/lib/commonjs/services/userConnectionsService.jshigh encoded/escaped-token density0
lowObfuscation Densitypackage/lib/module/services/userConnectionsService.jshigh encoded/escaped-token density0
lowObfuscation Densitypackage/lib/commonjs/components/icons/Userpreferences.jshigh encoded/escaped-token density0
lowObfuscation Densitypackage/lib/module/components/WelcomeScreen.jshigh encoded/escaped-token density0
lowObfuscation Densitypackage/lib/commonjs/services/youtubeMigrationService.jshigh encoded/escaped-token density0
lowObfuscation Densitypackage/lib/module/services/youtubeMigrationService.jshigh encoded/escaped-token density0

Manifest

Package metadata

Scripts39
  • bootstrapnpm run example && npm install
  • buildnpm run clean && bob build && npm run obfuscate
  • build:allnpm run clean && bob build && npm run obfuscate
  • build:devnpm run clean && bob build
  • build:jsbob build
  • build:securenpm run clean && bob build && npm run obfuscate
  • build:typesbob build
  • cleandel-cli lib
  • consumer:ios:cleanbash scripts/run-consumer-clean.sh
  • consumer:watch-local-sdknode scripts/watch-consumer-local-sdk.js
  • consumer:watch-local-sdk:iosnode scripts/watch-consumer-local-sdk.js --relaunch-ios
  • diagnose:apinode diagnose-api-validation.js
  • examplenpm --prefix example
  • linteslint "**/*.{js,ts,tsx}"
  • maestro:installbash scripts/install-maestro.sh
  • maestro:testnpm --prefix example run maestro:test
  • maestro:test:basicnpm --prefix example run maestro:test:basic
  • maestro:test:experimentsnpm --prefix example run maestro:test:experiments
  • maestro:test:full-flow-livebash scripts/run-live-training-experiment.sh
  • maestro:test:mainnpm --prefix example run maestro:test:main
  • maestro:test:no-initnpm --prefix example run maestro:test:no-init
  • maestro:test:tiktok-livebash scripts/run-live-tiktok-connector.sh
  • maestro:test:training-livebash scripts/run-live-training-experiment.sh
  • maestro:test:youtube-livebash scripts/run-live-youtube-oauth.sh
  • obfuscatenode scripts/obfuscate.js
  • obfuscate:drynode scripts/obfuscate.js --dry-run --verbose
  • prebuildnpm run clean
  • prepareecho 'Skipping build for local development'
  • prepublishOnlynpm run build:secure && npm run verify
  • releaserelease-it
  • …and 9 more.
Dependencies6
  • @react-native-async-storage/async-storage^2.2.0
  • axios^1.6.2
  • js-sha256^0.11.0
  • jwt-decode^4.0.0
  • react-native-crypto-js^1.0.0
  • react-native-rsa-native^2.0.5