Package evidence

@pasko70/[email protected]

Js Hidden Powershell: Hidden / non-interactive PowerShell invocation in package code — `-WindowStyle Hidden`, `irm | iex`, `windowsHide: true`, or equivalent — used to download-and-run payloads on Windows installers.

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published: 8
First published: May 2026
Publisher: pasko70

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@pasko70/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@pasko70/[email protected]"],"fail_on":"review"}'

Publisherpasko70

Artifact bytes1,939,522

Previous version1.0.4

Published2026-05-02T23:57:05.051Z

SHA-256316be318ab724081e602ae9bd1ec93be16593eb0e9402716484f071f57f6b4fa

Why flagged

What the scanner saw

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review

43h agoLast checked

reviewRisk

50Score

1.0.5Version

Status history (1 event)

new → available43h ago · risk review · score 50 · status changed

Evidence

Static findings

2 static · 0 from release diff · showing high-signal first.

Severity	Kind	Path	Detail	Points
high	Js Hidden Powershell	package/dist/mcp/python-runtime.js	Hidden / non-interactive PowerShell invocation in package code — `-WindowStyle Hidden`, `irm \| iex`, `windowsHide: true`, or equivalent — used to download-and-run payloads on Windows installers.	45
high	Js Hidden Powershell	package/dist/tools/python-runtime.js	Hidden / non-interactive PowerShell invocation in package code — `-WindowStyle Hidden`, `irm \| iex`, `windowsHide: true`, or equivalent — used to download-and-run payloads on Windows installers.	45

Manifest

Package metadata

Scripts19

buildtsc -p tsconfig.json && npm run web-ui:build
chat-ui:buildvite build --config src/apps/chat-ui/vite.config.ts
chat-ui:typechecktsc -p src/apps/chat-ui/tsconfig.json --noEmit
cleannode -e "fs.rmSync('dist', { recursive: true, force: true })"
clienttsx src/bin/pibo.ts client
context-files-ui:buildvite build --config src/apps/context-files-ui/vite.config.ts
context-files-ui:typechecktsc -p src/apps/context-files-ui/tsconfig.json --noEmit
devtsx src/bin/pibo.ts
gatewaytsx src/bin/pibo.ts gateway
gateway:webnpm run web-ui:build && tsx src/bin/pibo.ts gateway:web
prepacknpm run build
profiletsx src/bin/pibo.ts profile
startnode dist/bin/pibo.js
testnpm run build && node --test test/*.test.mjs
tuitsx src/bin/pibo.ts tui
tui:gatewaytsx src/bin/pibo.ts tui gateway-producer
tui:routedtsx src/bin/pibo.ts tui:routed
typechecktsc -p tsconfig.json --noEmit && npm run chat-ui:typecheck && npm run context-files-ui:typecheck
web-ui:buildnpm run chat-ui:build && npm run context-files-ui:build

Dependencies19

@mariozechner/pi-ai^0.70.2
@mariozechner/pi-coding-agent^0.70.2
@mdxeditor/editor^3.55.0
@modelcontextprotocol/sdk^1.29.0
@tailwindcss/vite^4.2.4
@tanstack/react-query^5.100.7
@tanstack/react-router^1.168.25
@tanstack/react-start^1.167.50
@uiw/react-json-view^2.0.0-alpha.41
better-auth^1.6.9
commander^14.0.3
lexical^0.35.0
lucide-react^0.545.0
prismjs^1.30.0
react^19.2.5
react-dom^19.2.5
react-markdown^10.1.0
remark-gfm^4.0.1
tailwindcss^4.2.4