Package evidence

@runsec/[email protected]

Remote Payload: matched "curl "

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads: 6,499Niche · −30% score
Versions published: 6
First published: May 2026
Publisher: runsec

Effective trust discount applied: −30% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@runsec/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@runsec/[email protected]"],"fail_on":"review"}'

Publisherrunsec

Artifact bytes1,288,723

Previous version1.0.114

Published2026-05-26T08:15:30.625Z

SHA-2564d3403d4008c6866da76c5335923e33d39021e910e5cf42eaee5718ba406e3e1

Why flagged

What the scanner saw

Remote Payload: matched "curl "

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review

18d agoLast checked

reviewRisk

31Score

1.0.115Version

Status history (1 event)

new → available18d ago · risk review · score 31 · status changed

Evidence

Static findings

6 static · 0 from release diff · showing high-signal first.

Severity	Kind	Path	Detail	Points
medium	Remote Payload	package/dist/data/semgrep-rules/devops-security.yaml	matched "curl "	12
medium	Remote Payload	package/dist/data/semgrep-rules/infra-k8s-helm.yaml	matched "curl "	12
medium	Remote Payload	package/dist/data/semgrep-rules/java-enterprise.yaml	matched "curl "	12

Show all 6 findings (low-signal and informational)

Severity	Kind	Path	Detail	Points
medium	Remote Payload	package/dist/data/semgrep-rules/devops-security.yaml	matched "curl "	12
medium	Remote Payload	package/dist/data/semgrep-rules/infra-k8s-helm.yaml	matched "curl "	12
medium	Remote Payload	package/dist/data/semgrep-rules/java-enterprise.yaml	matched "curl "	12
low	Credential file access	package/dist/data/semgrep-rules/cloud-secrets.yaml	matched "AWS_SECRET_ACCESS_KEY"	3
low	Credential file access	package/dist/data/semgrep-rules/devops-security.yaml	matched "AWS_SECRET_ACCESS_KEY"	3
low	Credential file access	package/dist/data/semgrep-rules/java-enterprise.yaml	matched "aws_secret_access_key"	3

Manifest

Package metadata

Scripts22

audit:workspacetsx scripts/audit-workspace.ts
buildnode scripts/ensure-build-deps.cjs && tsup src/index.ts --format cjs --clean && node -e "const fs=require('fs'); fs.cpSync('src/rules/data','dist/data',{recursive:true}); fs.mkdirSync('dist/skills',{recursive:true}); fs.cpSync('src/skills/framework-skills.json','dist/skills/framework-skills.json');"
debug:pipelinetsx scripts/debug-pipeline.ts
download:engine-binariesnode scripts/download-binaries.cjs
download:engine-binaries:localnode scripts/download-binaries.cjs --only-current
download:engine-binaries:partialnode scripts/download-binaries.cjs --allow-partial
engines:preparenpm run generate:binary-packages && npm run download:engine-binaries
generate:binary-packagesnode scripts/generate-binary-packages.cjs
link:engines:localnode scripts/link-engines-local.cjs
prepublishOnlynode scripts/ensure-build-deps.cjs && npm run build && node scripts/verify-thin-pack.cjs
publish-enginesnode scripts/publish-engines.cjs
publish-engines:dry-runnode scripts/publish-engines.cjs --dry-run
releasenode scripts/release.cjs
release:dry-runnode scripts/release.cjs --dry-run
scan:silknpm run build && tsx scripts/scan-silk.ts
simulate:outputtsx scripts/simulate_output.ts
testvitest run
test:e2enpm run build && tsx scripts/debug-pipeline.ts
test:goldtsx scripts/qaValidationReport.ts
test:gold:parsetsx scripts/qaValidationReport.ts --parse-only
verify:npm-publishnode scripts/verify-npm-publish.cjs
verify:thin-packnode scripts/verify-thin-pack.cjs

Dependencies4

@modelcontextprotocol/sdk^1.29.0
ignore^7.0.5
js-yaml^4.1.1
web-tree-sitter^0.26.9

Optional dependencies18

@runsec/engine-semgrep-darwin-arm64^1.0.0
@runsec/engine-semgrep-darwin-x64^1.0.0
@runsec/engine-semgrep-linux-arm64^1.0.0
@runsec/engine-semgrep-linux-x64^1.0.0
@runsec/engine-semgrep-win32-arm64^1.0.0
@runsec/engine-semgrep-win32-x64^1.0.0
@runsec/engine-syft-darwin-arm64^1.0.0
@runsec/engine-syft-darwin-x64^1.0.0
@runsec/engine-syft-linux-arm64^1.0.0
@runsec/engine-syft-linux-x64^1.0.0
@runsec/engine-syft-win32-arm64^1.0.0
@runsec/engine-syft-win32-x64^1.0.0
@runsec/engine-trufflehog-darwin-arm64^1.0.0
@runsec/engine-trufflehog-darwin-x64^1.0.0
@runsec/engine-trufflehog-linux-arm64^1.0.0
@runsec/engine-trufflehog-linux-x64^1.0.0
@runsec/engine-trufflehog-win32-arm64^1.0.0
@runsec/engine-trufflehog-win32-x64^1.0.0