Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Versions published
- 173
- First published
- Jan 2026
- Publisher
- zehua.wang
- External confirmation
- MAL-2026-4444OSV match · pinned to high regardless of other signals
Recommended action
Block this updateStatic evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["@shwfed/[email protected]"],"fail_on":"high"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["@shwfed/[email protected]"],"fail_on":"high"}'Why flagged
What the scanner saw
Remote Payload: matched "curl "
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (3 events)
- available → available · risk high · score 12 · status available -> available, risk high -> high, score 24 -> 12
- available → available · risk high · score 24 · status available -> available, risk high -> high, score 118 -> 24
- new → available · risk high · score 118 · status changed
Related candidates
Linked campaigns and clusters
zehua.wang
9 members · evidence strength 84Evidence
Static findings
2 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Remote Payload | package/dist/module.mjs | matched "curl " | 12 |
Show all 2 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Remote Payload | package/dist/module.mjs | matched "curl " | 12 |
| low | Obfuscation Density | package/dist/runtime/table-renderers/builtins.js | high encoded/escaped-token density | 0 |
Manifest
Package metadata
Scripts13
devnpm run dev:prepare && nuxt dev playgrounddev:buildnuxt build playgrounddev:preparenuxt-module-build build --stub && nuxt-module-build prepare && nuxt prepare playgroundlinteslint .prepacknuxt-module-build buildpreparesimple-git-hooksreleasenpm run lint && npm run test && npm run prepack && changelogen --release --push && npm publishrelease:majornpm run lint && npm run test && npm run prepack && changelogen --major --release --push && npm publishtestvitest runtest:e2eplaywright testtest:e2e:uiplaywright test --uitest:typesvue-tsc --noEmit && cd playground && vue-tsc --noEmittest:watchvitest watch
Dependencies33
@date-fns/tz^1.4.1@fontsource-variable/noto-sans^5.2.10@fontsource-variable/noto-sans-jp^5.2.10@fontsource-variable/noto-sans-sc^5.2.10@iconify-json/fluent^1.2.40@iconify-json/vscode-icons^1.2.45@iconify/vue^5.0.0@intlify/unplugin-vue-i18n^11.0.3@nuxt/fonts^0.14.0@nuxt/kit^4.3.0@tailwindcss/typography^0.5.19@tailwindcss/vite^4.2.1@tanstack/vue-table^8.21.3@tanstack/vue-virtual^3.13.18@vueuse/core^14.1.0@vueuse/integrations^14.1.0bignumber.js^9.3.1class-variance-authority^0.7.1clsx^2.1.1date-fns^4.1.0defu^6.1.4dot-prop^10.1.0effect^3.19.15markdown-it^14.1.0mutative^1.3.0reka-ui^2.7.0sortablejs^1.15.0tailwind-merge^3.4.0vaul-vue^0.4.1vue^3.5.27- …and 3 more.