Package evidence
@psnext/[email protected]
Remote Payload: matched "github.com/repos/${t}/releases/latest`,{headers:{\"User-Agent\":`${bt}-coding-agent`},signal:AbortSignal.timeout(b$)});if(!e.ok)throw new Error(`GitHub API error: ${e.status}`);return(await e.json()).tag_name.replace(/^v/,\"\")}async function T$(t,e){let n=await fetch(t,{signal:AbortSignal.timeout(x$)});if(!n.ok)throw new Error(`Failed to download: ${n.status}`);if(!n.body)throw new Error(\"No response body\");let i=d$(e);await f$(g$.fromWeb(n.body),i)}function C$(t,e){let n=[t];for(;n.length>0;){let i=n.pop();if(!i)continue;let s=p$(i,{withFileTypes:!0});for(let r of s){let o=qi(i,r.name);if(r.isFile()&&r.name===e)return o;r.isDirectory()&&n.push(o)}}return null}function k$(t){if(t.error?.message)return t.error.message;let e=t.stderr?.toString().trim();if(e)return e;let n=t.stdout?.toString().trim();return n||`exit status ${t.status??\"unknown\"}`}function Wl(t,e){let n=SM(t,e,{stdio:\"pipe\"});return!n.error&&n.status===0?null:`${t}: ${k$(n)}`}function M$(t,e,n){let i=Wl(\"tar\",[\"xzf\",t,\"-C\",e]);if(i)throw new Error(`Failed to extract ${n}: ${i}`)}function R$(){let t=process.env.SystemRoot??process.env.WINDIR;if(t){let e=qi(t,\"System32\",\"tar.exe\");if(v0(e))return e}return\"tar.exe\"}function I$(t,e,n){let i=[];if(Pp()===\"win32\"){let s=Wl(R$(),[\"xf\",t,\"-C\",e]);if(!s)return;i.push(s);let o=Wl(\"powershell.exe\",[\"-NoLogo\",\"-NoProfile\",\"-NonInteractive\",\"-ExecutionPolicy\",\"Bypass\",\"-Command\",\"& { param($archive, $destination) $ErrorActionPreference = 'Stop'; Expand-Archive -LiteralPath $archive -DestinationPath $destination -Force }\",t,e]);if(!o)return;i.push(o)}else{let s=Wl(\"unzip\",[\"-q\",t,\"-d\",e]);if(!s)return;i.push(s);let r=Wl(\"tar\",[\"xf\",t,\"-C\",e]);if(!r)return;i.push(r)}throw new Error(`Failed to extract ${n}: ${i.join(\"; \")}`)}async function P$(t){let e=y0[t];if(!e)throw new Error(`Unknown tool: ${t}`);let n=Pp(),i=h$(),s=await S$(e.repo);t===\"fd\"&&n===\"darwin\"&&i===\"x64\"&&(s=\"10.3.0\");let r=e.getAssetName(s,n,i);if(!r)throw new Error(`Unsupported platform: ${n}/${i}`);yM(Ll,{recursive:!0});let o=`https://github.com/${e.repo}/releases/download"
Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Weekly downloads
- 423
- Versions published
- 46
- First published
- May 2026
- Publisher
- rravuri
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["@psnext/[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["@psnext/[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Remote Payload: matched "github.com/repos/${t}/releases/latest`,{headers:{\"User-Agent\":`${bt}-coding-agent`},signal:AbortSignal.timeout(b$)});if(!e.ok)throw new Error(`GitHub API error: ${e.status}`);return(await e.json()).tag_name.replace(/^v/,\"\")}async function T$(t,e){let n=await fetch(t,{signal:AbortSignal.timeout(x$)});if(!n.ok)throw new Error(`Failed to download: ${n.status}`);if(!n.body)throw new Error(\"No response body\");let i=d$(e);await f$(g$.fromWeb(n.body),i)}function C$(t,e){let n=[t];for(;n.length>0;){let i=n.pop();if(!i)continue;let s=p$(i,{withFileTypes:!0});for(let r of s){let o=qi(i,r.name);if(r.isFile()&&r.name===e)return o;r.isDirectory()&&n.push(o)}}return null}function k$(t){if(t.error?.message)return t.error.message;let e=t.stderr?.toString().trim();if(e)return e;let n=t.stdout?.toString().trim();return n||`exit status ${t.status??\"unknown\"}`}function Wl(t,e){let n=SM(t,e,{stdio:\"pipe\"});return!n.error&&n.status===0?null:`${t}: ${k$(n)}`}function M$(t,e,n){let i=Wl(\"tar\",[\"xzf\",t,\"-C\",e]);if(i)throw new Error(`Failed to extract ${n}: ${i}`)}function R$(){let t=process.env.SystemRoot??process.env.WINDIR;if(t){let e=qi(t,\"System32\",\"tar.exe\");if(v0(e))return e}return\"tar.exe\"}function I$(t,e,n){let i=[];if(Pp()===\"win32\"){let s=Wl(R$(),[\"xf\",t,\"-C\",e]);if(!s)return;i.push(s);let o=Wl(\"powershell.exe\",[\"-NoLogo\",\"-NoProfile\",\"-NonInteractive\",\"-ExecutionPolicy\",\"Bypass\",\"-Command\",\"& { param($archive, $destination) $ErrorActionPreference = 'Stop'; Expand-Archive -LiteralPath $archive -DestinationPath $destination -Force }\",t,e]);if(!o)return;i.push(o)}else{let s=Wl(\"unzip\",[\"-q\",t,\"-d\",e]);if(!s)return;i.push(s);let r=Wl(\"tar\",[\"xf\",t,\"-C\",e]);if(!r)return;i.push(r)}throw new Error(`Failed to extract ${n}: ${i.join(\"; \")}`)}async function P$(t){let e=y0[t];if(!e)throw new Error(`Unknown tool: ${t}`);let n=Pp(),i=h$(),s=await S$(e.repo);t===\"fd\"&&n===\"darwin\"&&i===\"x64\"&&(s=\"10.3.0\");let r=e.getAssetName(s,n,i);if(!r)throw new Error(`Unsupported platform: ${n}/${i}`);yM(Ll,{recursive:!0});let o=`https://github.com/${e.repo}/releases/download"
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 95 · status changed
Evidence
Static findings
17 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Remote Payload | package/slingshot/index.js | matched "github.com/repos/${t}/releases/latest`,{headers:{\"User-Agent\":`${bt}-coding-agent`},signal:AbortSignal.timeout(b$)});if(!e.ok)throw new Error(`GitHub API error: ${e.status}`);return(await e.json()).tag_name.replace(/^v/,\"\")}async function T$(t,e){let n=await fetch(t,{signal:AbortSignal.timeout(x$)});if(!n.ok)throw new Error(`Failed to download: ${n.status}`);if(!n.body)throw new Error(\"No response body\");let i=d$(e);await f$(g$.fromWeb(n.body),i)}function C$(t,e){let n=[t];for(;n.length>0;){let i=n.pop();if(!i)continue;let s=p$(i,{withFileTypes:!0});for(let r of s){let o=qi(i,r.name);if(r.isFile()&&r.name===e)return o;r.isDirectory()&&n.push(o)}}return null}function k$(t){if(t.error?.message)return t.error.message;let e=t.stderr?.toString().trim();if(e)return e;let n=t.stdout?.toString().trim();return n||`exit status ${t.status??\"unknown\"}`}function Wl(t,e){let n=SM(t,e,{stdio:\"pipe\"});return!n.error&&n.status===0?null:`${t}: ${k$(n)}`}function M$(t,e,n){let i=Wl(\"tar\",[\"xzf\",t,\"-C\",e]);if(i)throw new Error(`Failed to extract ${n}: ${i}`)}function R$(){let t=process.env.SystemRoot??process.env.WINDIR;if(t){let e=qi(t,\"System32\",\"tar.exe\");if(v0(e))return e}return\"tar.exe\"}function I$(t,e,n){let i=[];if(Pp()===\"win32\"){let s=Wl(R$(),[\"xf\",t,\"-C\",e]);if(!s)return;i.push(s);let o=Wl(\"powershell.exe\",[\"-NoLogo\",\"-NoProfile\",\"-NonInteractive\",\"-ExecutionPolicy\",\"Bypass\",\"-Command\",\"& { param($archive, $destination) $ErrorActionPreference = 'Stop'; Expand-Archive -LiteralPath $archive -DestinationPath $destination -Force }\",t,e]);if(!o)return;i.push(o)}else{let s=Wl(\"unzip\",[\"-q\",t,\"-d\",e]);if(!s)return;i.push(s);let r=Wl(\"tar\",[\"xf\",t,\"-C\",e]);if(!r)return;i.push(r)}throw new Error(`Failed to extract ${n}: ${i.join(\"; \")}`)}async function P$(t){let e=y0[t];if(!e)throw new Error(`Unknown tool: ${t}`);let n=Pp(),i=h$(),s=await S$(e.repo);t===\"fd\"&&n===\"darwin\"&&i===\"x64\"&&(s=\"10.3.0\");let r=e.getAssetName(s,n,i);if(!r)throw new Error(`Unsupported platform: ${n}/${i}`);yM(Ll,{recursive:!0});let o=`https://github.com/${e.repo}/releases/download" | 12 |
| medium | Remote Payload | package/bin/sling.js | matched "raw.githubusercontent.com" | 12 |
Show all 17 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Remote Payload | package/slingshot/index.js | matched "github.com/repos/${t}/releases/latest`,{headers:{\"User-Agent\":`${bt}-coding-agent`},signal:AbortSignal.timeout(b$)});if(!e.ok)throw new Error(`GitHub API error: ${e.status}`);return(await e.json()).tag_name.replace(/^v/,\"\")}async function T$(t,e){let n=await fetch(t,{signal:AbortSignal.timeout(x$)});if(!n.ok)throw new Error(`Failed to download: ${n.status}`);if(!n.body)throw new Error(\"No response body\");let i=d$(e);await f$(g$.fromWeb(n.body),i)}function C$(t,e){let n=[t];for(;n.length>0;){let i=n.pop();if(!i)continue;let s=p$(i,{withFileTypes:!0});for(let r of s){let o=qi(i,r.name);if(r.isFile()&&r.name===e)return o;r.isDirectory()&&n.push(o)}}return null}function k$(t){if(t.error?.message)return t.error.message;let e=t.stderr?.toString().trim();if(e)return e;let n=t.stdout?.toString().trim();return n||`exit status ${t.status??\"unknown\"}`}function Wl(t,e){let n=SM(t,e,{stdio:\"pipe\"});return!n.error&&n.status===0?null:`${t}: ${k$(n)}`}function M$(t,e,n){let i=Wl(\"tar\",[\"xzf\",t,\"-C\",e]);if(i)throw new Error(`Failed to extract ${n}: ${i}`)}function R$(){let t=process.env.SystemRoot??process.env.WINDIR;if(t){let e=qi(t,\"System32\",\"tar.exe\");if(v0(e))return e}return\"tar.exe\"}function I$(t,e,n){let i=[];if(Pp()===\"win32\"){let s=Wl(R$(),[\"xf\",t,\"-C\",e]);if(!s)return;i.push(s);let o=Wl(\"powershell.exe\",[\"-NoLogo\",\"-NoProfile\",\"-NonInteractive\",\"-ExecutionPolicy\",\"Bypass\",\"-Command\",\"& { param($archive, $destination) $ErrorActionPreference = 'Stop'; Expand-Archive -LiteralPath $archive -DestinationPath $destination -Force }\",t,e]);if(!o)return;i.push(o)}else{let s=Wl(\"unzip\",[\"-q\",t,\"-d\",e]);if(!s)return;i.push(s);let r=Wl(\"tar\",[\"xf\",t,\"-C\",e]);if(!r)return;i.push(r)}throw new Error(`Failed to extract ${n}: ${i.join(\"; \")}`)}async function P$(t){let e=y0[t];if(!e)throw new Error(`Unknown tool: ${t}`);let n=Pp(),i=h$(),s=await S$(e.repo);t===\"fd\"&&n===\"darwin\"&&i===\"x64\"&&(s=\"10.3.0\");let r=e.getAssetName(s,n,i);if(!r)throw new Error(`Unsupported platform: ${n}/${i}`);yM(Ll,{recursive:!0});let o=`https://github.com/${e.repo}/releases/download" | 12 |
| medium | Remote Payload | package/bin/sling.js | matched "raw.githubusercontent.com" | 12 |
| low | Credential file access | package/node_modules/@earendil-works/pi-coding-agent/dist/cli/args.js | matched "AWS_ACCESS_KEY" | 5 |
| low | Credential file access | package/node_modules/google-auth-library/build/src/auth/defaultawssecuritycredentialssupplier.js | matched "AWS_ACCESS_KEY" | 5 |
| low | Credential file access | package/node_modules/@aws-sdk/credential-provider-node/dist-es/defaultProvider.js | matched "AWS_ACCESS_KEY" | 5 |
| low | Credential file access | package/node_modules/@aws-sdk/client-bedrock-runtime/dist-es/models/enums.js | matched "AWS_ACCESS_KEY" | 5 |
| low | Credential file access | package/node_modules/@earendil-works/pi-ai/dist/env-api-keys.js | matched "GOOGLE_APPLICATION_CREDENTIALS" | 5 |
| low | Credential file access | package/node_modules/@aws-sdk/credential-provider-env/dist-es/fromEnv.js | matched "AWS_ACCESS_KEY" | 5 |
| low | Credential file access | package/node_modules/google-auth-library/build/src/auth/googleauth.js | matched "GOOGLE_APPLICATION_CREDENTIALS" | 5 |
| low | Credential file access | package/node_modules/@aws-sdk/client-bedrock-runtime/dist-cjs/index.js | matched "AWS_ACCESS_KEY" | 5 |
| low | Credential file access | package/node_modules/@aws-sdk/credential-provider-env/dist-cjs/index.js | matched "AWS_ACCESS_KEY" | 5 |
| low | Credential file access | package/node_modules/@aws-sdk/credential-provider-ini/dist-cjs/index.js | matched "aws_access_key" | 5 |
| low | Credential file access | package/node_modules/@aws-sdk/credential-provider-node/dist-cjs/index.js | matched "AWS_ACCESS_KEY" | 5 |
| low | Credential file access | package/node_modules/@aws-sdk/credential-provider-ini/dist-es/resolveStaticCredentials.js | matched "aws_access_key" | 5 |
| low | Credential file access | package/bin/sling.js | matched "GOOGLE_APPLICATION_CREDENTIALS" | 5 |
| low | Credential file access | package/node_modules/@aws-sdk/credential-provider-ini/package.json | matched ".aws/" | 3 |
| low | Credential file access | package/node_modules/@aws-sdk/credential-provider-process/package.json | matched ".aws/" | 3 |
Manifest
Package metadata
Dependencies6
@earendil-works/pi-agent-corefile:../.sling-pack/earendil-works-pi-agent-core-0.79.3.tgz@earendil-works/pi-aifile:../.sling-pack/earendil-works-pi-ai-0.79.3.tgz@earendil-works/pi-coding-agentfile:../.sling-pack/earendil-works-pi-coding-agent-0.79.3.tgz@earendil-works/pi-tuifile:../.sling-pack/earendil-works-pi-tui-0.79.3.tgzsemver^7.6.0undici^7.19.1