Package evidence

@pushary/[email protected]

Js Obfuscated Fetch Exec: Hex-decoded literal + network fetch + child-process exec — staged obfuscated-loader / dropper (hides the C2 URL from literal-URL detection).

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads: 532
Versions published: 46
First published: May 2026
Publisher: aadilghani

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@pushary/[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@pushary/[email protected]"],"fail_on":"high"}'

Publisheraadilghani

Artifact bytes95,561

Previous version0.18.1

Published2026-06-20T12:06:08.600Z

SHA-256fcf06211c9c93bc921c675aa15285978798f30d836aa9fb58b58bf53c89a65d1

Why flagged

What the scanner saw

Js Obfuscated Fetch Exec: Hex-decoded literal + network fetch + child-process exec — staged obfuscated-loader / dropper (hides the C2 URL from literal-URL detection).

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

high

15h agoLast checked

highRisk

45Score

0.18.2Version

Status history (1 event)

new → available15h ago · risk high · score 45 · status changed

Evidence

Static findings

1 static · 0 from release diff · showing high-signal first.

Severity	Kind	Path	Detail	Points
high	Js Obfuscated Fetch Exec	package/dist/bin/pushary-setup.js	Hex-decoded literal + network fetch + child-process exec — staged obfuscated-loader / dropper (hides the C2 URL from literal-URL detection).	45

Manifest

Package metadata

Scripts3

buildnode scripts/bundle-plugin.mjs && tsup
devtsup --watch
testbun test src/api.test.ts && bun test src/claude-config.test.ts && bun test src/config.test.ts && bun test src/mcp-http.test.ts && bun test src/retry.test.ts && bun test src/usage.test.ts && bun test src/validate.test.ts && bun test src/policy.test.ts && bun test src/npm.test.ts && bun test src/identity.test.ts && bun test src/pending.test.ts && bun test src/events.test.ts && bun test src/describe.test.ts && bun test src/suggestions.test.ts && bun test src/hook.test.ts && bun test src/codex-adapter.test.ts && bun test src/codex-config.test.ts && bun test src/pairing.test.ts

Dependencies3

@inquirer/prompts^8.4.2
qrcode-terminal^0.12.0
smol-toml^1.6.1