PkgRadar

Package evidence

@shopify/[email protected]

Webhook Exfil Endpoint: matched "ngrok.app"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published
661Mature · −50% score
First published
Feb 2023
Publisher
GitHub ActionsTrusted automation · −70% score

Effective trust discount applied: 70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@shopify/[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@shopify/[email protected]"],"fail_on":"high"}'
PublisherGitHub Actions
Artifact bytes675,014
Previous version0.0.0-snapshot.20260611113556
Published2026-06-12T14:38:55.874Z
SHA-256a758c8c62086f886067a0d2f1f2c1c5f3b90175398c0c06b08b0e51f2ada67ba

Why flagged

What the scanner saw

Webhook Exfil Endpoint: matched "ngrok.app"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

high
Last checked
highRisk
13Score
0.0.0-snapshot.20260612143512Version
Status history (1 event)
  1. newavailable · risk high · score 13 · status changed

Evidence

Static findings

3 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
highWebhook Exfil Endpointpackage/build/utils/vite-config.jsmatched "ngrok.app"40
Show all 3 findings (low-signal and informational)
SeverityKindPathDetailPoints
highWebhook Exfil Endpointpackage/build/utils/vite-config.jsmatched "ngrok.app"40
lowCredential file accesspackage/build/utils/template-sync.jsmatched ".npmrc"5
lowObfuscation Densitypackage/dashboard/pnpm-lock.yamlhigh encoded/escaped-token density0

Manifest

Package metadata

Scripts20
  • buildpnpm clean && pnpm build:cli:graphql && pnpm build:cli && pnpm dev-panel:build-and-copy && pnpm dashboard:build-and-copy
  • build:clitsc -p tsconfig.build.json && chmod 755 build/index.js && cp src/commands/dev/utils/safari-inspector.applescript build/commands/dev/utils && cpx "src/schemas/*.json" build/schemas && pnpm build:cli:examples
  • build:cli:examplescpx "src/commands/create/examples/**/{*,.*}" build/commands/create/examples
  • build:cli:graphqlnode --import tsx scripts/graphql-codegen.ts && pnpm lint:fix
  • build:cli:watchchokidar "./src/**/*.ts" -c "pnpm run build:cli" --silent --initial --ignore '(build|node_modules)'
  • cleanrm -rf build
  • dashboard:buildcd ./dashboard && pnpm build
  • dashboard:build-and-copycd dashboard && rm -rf dist && pnpm install --ignore-workspace && pnpm build && cd .. && mkdir -p build/dashboard/ && cp -r dashboard/dist/* build/dashboard
  • dashboard:cleancd ./dashboard && rm -rf dist
  • dashboard:installcd ./dashboard && pnpm install --ignore-workspace
  • dev-panel:buildcd ./dev-panel && PUBLIC_URL=/dev-panel pnpm build
  • dev-panel:build-and-copymkdir -p build/dev-panel/ && pnpm dev-panel:clean && pnpm dev-panel:install && pnpm dev-panel:build && cp -r dev-panel/build/* build/dev-panel
  • dev-panel:cleancd ./dev-panel && rm -rf build
  • dev-panel:installcd ./dev-panel && pnpm install --ignore-workspace
  • dev-panel:startcd ./dev-panel && pnpm start
  • linteslint . --ext .js,.mjs,.ts,.tsx --format codeframe --cache
  • lint:fixeslint . --ext .js,.mjs,.ts,.tsx --format codeframe --cache --fix
  • shop-minis./build/index.js
  • testvitest
  • type-checktsc --noEmit --incremental false
Dependencies39
  • @bugsnag/node8.6.0
  • @google-cloud/storage7.17.2
  • @ngrok/ngrok1.4.1
  • @shopify/cli-kit3.94.3
  • @tailwindcss/vite4.1.16
  • @types/diff7.0.2
  • @types/jscodeshift0.11.11
  • @vitejs/plugin-react4.7.0
  • archiver5.3.2
  • chalk4.1.2
  • commander9.5.0
  • connect3.7.0
  • diff7.0.0
  • dotenv16.6.1
  • envinfo7.20.0
  • escape-string-regexp4.0.0
  • external-editor3.1.0
  • finalhandler2.1.0
  • fs-extra11.3.2
  • glob9.3.5
  • google-auth-library9.8.0
  • graphql-request5.2.0
  • image-size2.0.2
  • inquirer8.2.7
  • internal-ip6.2.0
  • jscodeshift0.15.2
  • json52.2.3
  • jsonschema1.5.0
  • lodash4.18.1
  • open8.4.2
  • …and 9 more.