PkgRadar

Package evidence

@pixelbyte-software/[email protected]

Js Hidden Powershell: Hidden / non-interactive PowerShell invocation in package code — `-WindowStyle Hidden`, `irm | iex`, `windowsHide: true`, or equivalent — used to download-and-run payloads on Windows installers.

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
883
Versions published
123
First published
Apr 2026
Publisher
alicomert

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@pixelbyte-software/[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@pixelbyte-software/[email protected]"],"fail_on":"high"}'
Publisheralicomert
Artifact bytes4,746,729
Previous version1.51.1
Published2026-06-02T05:24:58.759Z
SHA-25604209752367b5fea4ac6328775cb833e0148ba3ee4450abf44ffb9b50a463e66

Why flagged

What the scanner saw

Js Hidden Powershell: Hidden / non-interactive PowerShell invocation in package code — `-WindowStyle Hidden`, `irm | iex`, `windowsHide: true`, or equivalent — used to download-and-run payloads on Windows installers.

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

high
Last checked
highRisk
99Score
1.51.2Version
Status history (1 event)
  1. newavailable · risk high · score 99 · status changed

Evidence

Static findings

9 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
highJs Hidden Powershellpackage/dist-server/server/modules/providers/provider.routes.jsHidden / non-interactive PowerShell invocation in package code — `-WindowStyle Hidden`, `irm | iex`, `windowsHide: true`, or equivalent — used to download-and-run payloads on Windows installers.45
highJs Hidden Powershellpackage/server/modules/providers/provider.routes.tsHidden / non-interactive PowerShell invocation in package code — `-WindowStyle Hidden`, `irm | iex`, `windowsHide: true`, or equivalent — used to download-and-run payloads on Windows installers.45
mediumRemote Payloadpackage/dist-server/server/services/hermes-install-jobs.jsmatched "Invoke-WebRequest"12
mediumRemote Payloadpackage/server/services/hermes-install-jobs.jsmatched "Invoke-WebRequest"12
Show all 9 findings (low-signal and informational)
SeverityKindPathDetailPoints
highJs Hidden Powershellpackage/dist-server/server/modules/providers/provider.routes.jsHidden / non-interactive PowerShell invocation in package code — `-WindowStyle Hidden`, `irm | iex`, `windowsHide: true`, or equivalent — used to download-and-run payloads on Windows installers.45
highJs Hidden Powershellpackage/server/modules/providers/provider.routes.tsHidden / non-interactive PowerShell invocation in package code — `-WindowStyle Hidden`, `irm | iex`, `windowsHide: true`, or equivalent — used to download-and-run payloads on Windows installers.45
mediumRemote Payloadpackage/dist-server/server/services/hermes-install-jobs.jsmatched "Invoke-WebRequest"12
mediumRemote Payloadpackage/server/services/hermes-install-jobs.jsmatched "Invoke-WebRequest"12
lowCredential file accesspackage/dist-server/server/services/provider-models.jsmatched "GOOGLE_APPLICATION_CREDENTIALS"5
lowCredential file accesspackage/server/services/provider-models.jsmatched "GOOGLE_APPLICATION_CREDENTIALS"5
lowMessenger Bot Endpointpackage/dist-server/server/services/telegram/telegram-http-client.jsmatched "api.telegram.org/bot" — messenger-bot URL without exfil context (likely a notification handler)5
lowMessenger Bot Endpointpackage/server/services/telegram/telegram-http-client.jsmatched "api.telegram.org/bot" — messenger-bot URL without exfil context (likely a notification handler)5
lowInstall-time lifecycle scriptpackage.jsonpostinstall="node scripts/fix-node-pty.js"5

Manifest

Package metadata

Scripts31
  • buildnpm run build:client && npm run build:server
  • build:clientvite build
  • build:servertsc -p server/tsconfig.json && tsc-alias -p server/tsconfig.json
  • clientvite
  • devnpm run server:dev
  • issues:v1.38node scripts/github/create-v1.38-issues.mjs --apply
  • linteslint src/ server/
  • lint:fixeslint src/ server/ --fix
  • postinstallnode scripts/fix-node-pty.js
  • prebuild:servernode -e "require('node:fs').rmSync('dist-server', { recursive: true, force: true })"
  • preparehusky
  • prepublishOnlynpm run build
  • previewvite preview
  • release./release.sh
  • servernode dist-server/server/cli.js start
  • server:devnode server/cli.js daemon install --mode system --port 3001 --frontend-port 5173
  • server:dev-watchnode server/cli.js daemon restart --mode system --port 3001 --frontend-port 5173
  • smoke:chat-session-statenode scripts/smoke/chat-session-state.mjs
  • smoke:orchestration-apinode scripts/smoke/orchestration-api.mjs
  • smoke:orchestration-livenode scripts/smoke/orchestration-live-run.mjs
  • smoke:provider-restnode scripts/smoke/provider-rest-api.mjs
  • smoke:static-rootnode scripts/smoke/static-root-routing.mjs
  • smoke:telegram-controlnode scripts/smoke/telegram-control.mjs
  • smoke:update-uxnode scripts/smoke/update-ux.mjs
  • smoke:v138-completionnode scripts/smoke/v138-completion.mjs
  • smoke:v138-desktopnode scripts/smoke/v138-desktop-release-hardening.mjs
  • smoke:v138-diagnosticsnode scripts/smoke/v138-diagnostics.mjs
  • smoke:v138-issuesnode scripts/smoke/v138-issue-planner.mjs
  • startnpm run build && npm run server
  • typechecktsc --noEmit -p tsconfig.json && tsc --noEmit -p server/tsconfig.json
  • …and 1 more.
Dependencies20
  • @anthropic-ai/claude-agent-sdk^0.2.116
  • @iarna/toml^2.2.5
  • @octokit/rest^22.0.0
  • @openai/codex-sdk^0.101.0
  • bcryptjs^3.0.3
  • better-sqlite3^12.6.2
  • chokidar^4.0.3
  • cors^2.8.5
  • cross-spawn^7.0.3
  • express^4.18.2
  • gray-matter^4.0.3
  • jsonwebtoken^9.0.2
  • mime-types^3.0.1
  • monaco-editor^0.55.1
  • multer^2.0.1
  • node-fetch^2.7.0
  • node-pty^1.2.0-beta.12
  • tar^7.5.13
  • web-push^3.6.7
  • ws^8.14.2