Package evidence
@spencer-kit/[email protected]
Obfuscation Density: high encoded/escaped-token density
Recommended action
Block this updateStatic evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["@spencer-kit/[email protected]"],"fail_on":"high"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["@spencer-kit/[email protected]"],"fail_on":"high"}'Why flagged
What the scanner saw
Obfuscation Density: high encoded/escaped-token density
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk high · score 92 · status changed
Related candidates
Linked campaigns and clusters
pallyoung
3 members · evidence strength 72Evidence
Static findings
14 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Obfuscation Density | package/dist/web/assets/components-C4SKshs2.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/web/assets/html.worker-CQP8QQsS.js | high encoded/escaped-token density | 12 |
| medium | Remote Payload | package/dist/esm/bin.mjs | matched "github.com/rust-lang/rust-analyzer/releases/download" | 12 |
| medium | Remote Payload | package/dist/esm/server-runner.mjs | matched "github.com/rust-lang/rust-analyzer/releases/download" | 12 |
| medium | Large Javascript Payload | package/dist/web/assets/monaco-editor-VTbRDH-J.js | 4140162 bytes | 10 |
| medium | Large Javascript Payload | package/dist/web/assets/ts.worker-METxwbDZ.js | 6894277 bytes | 10 |
Show all 14 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Obfuscation Density | package/dist/web/assets/components-C4SKshs2.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/web/assets/html.worker-CQP8QQsS.js | high encoded/escaped-token density | 12 |
| medium | Remote Payload | package/dist/esm/bin.mjs | matched "github.com/rust-lang/rust-analyzer/releases/download" | 12 |
| medium | Remote Payload | package/dist/esm/server-runner.mjs | matched "github.com/rust-lang/rust-analyzer/releases/download" | 12 |
| medium | Large Javascript Payload | package/dist/web/assets/monaco-editor-VTbRDH-J.js | 4140162 bytes | 10 |
| medium | Large Javascript Payload | package/dist/web/assets/ts.worker-METxwbDZ.js | 6894277 bytes | 10 |
| low | Obfuscation | package/dist/web/assets/components-C4SKshs2.js | matched "\\u00C0" | 3 |
| low | Obfuscation | package/dist/web/assets/css.worker-Wv5dxAWO.js | matched "\\x20" | 3 |
| low | Obfuscation | package/dist/web/assets/editor.worker-Bd9IXS8d.js | matched "\\x20" | 3 |
| low | Obfuscation | package/dist/web/assets/html.worker-CQP8QQsS.js | matched "\\x20" | 3 |
| low | Obfuscation | package/dist/web/assets/json.worker-DzV-CpCQ.js | matched "\\x20" | 3 |
| low | Obfuscation | package/dist/web/assets/xterm-BVlcrOZ1.js | matched "\\x1B" | 3 |
| low | Obfuscation | package/dist/esm/bin.mjs | matched "eval(" | 3 |
| low | Obfuscation | package/dist/esm/server-runner.mjs | matched "eval(" | 3 |
Manifest
Package metadata
Scripts4
buildtsx ../../scripts/build-cli.tsdevtsx ../../scripts/dev-server.tstestvitest run --passWithNoTeststest:watchvitest
Dependencies22
@fastify/compress^8.3.1@fastify/cors^11.2.0@fastify/multipart^10.0.0@fastify/static^9.1.3@fastify/websocket^11.2.0@xterm/addon-serialize^0.14.0@xterm/headless^6.0.0chokidar^5.0.0fastify^5.8.5ignore^7.0.5markdown-it^14.1.0mime-types^2.1.35node-pty^1.1.0pino-pretty^13.1.3pm2^7.0.1typescript^6.0.3typescript-language-server^5.2.0uuid^14.0.0vscode-jsonrpc^8.2.1vscode-languageserver-protocol^3.17.5ws^8.20.0zod^4.4.2