Recommended action
Block this updateStatic evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["@staticn0va/[email protected]"],"fail_on":"high"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["@staticn0va/[email protected]"],"fail_on":"high"}'Why flagged
What the scanner saw
Credential file access: matched ".aws"
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk high · score 213 · status changed
Evidence
Static findings
56 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | Credential file access | package/dist/search/reranker/authority-boost.js | matched ".aws" | 30 |
| medium | Remote Payload | package/dist/cli/daemon.js | matched "curl " | 12 |
| medium | Remote Payload | package/dist/cli/warmup.js | matched "github.com/lightpanda-io/browser/releases/download" | 12 |
Show all 56 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | Credential file access | package/dist/search/reranker/authority-boost.js | matched ".aws" | 30 |
| medium | Remote Payload | package/dist/cli/daemon.js | matched "curl " | 12 |
| medium | Remote Payload | package/dist/cli/warmup.js | matched "github.com/lightpanda-io/browser/releases/download" | 12 |
| low | Obfuscation | package/dist/cli/tui/components/AgentSelect.js | matched "\\u276F" | 3 |
| low | Obfuscation | package/dist/search/answer-synthesis.js | matched "\\u2014" | 3 |
| low | Obfuscation | package/dist/fetch/auth.js | matched "\\u2014" | 3 |
| low | Obfuscation | package/dist/cache/backfill-embeddings.js | matched "\\u2014" | 3 |
| low | Obfuscation | package/dist/cli/backfill.js | matched "\\u2014" | 3 |
| low | Obfuscation | package/dist/cli/tui/banner.js | matched "\\u2566" | 3 |
| low | Obfuscation | package/dist/search/engines/bing.js | matched "Buffer.from(padded, \"base64" | 3 |
| low | Obfuscation | package/dist/searxng/bootstrap.js | matched "\\u2014" | 3 |
| low | Obfuscation | package/dist/research/brief.js | matched "\\u2026" | 3 |
| low | Obfuscation | package/dist/cli/tui/components/BrowserSelect.js | matched "\\u2014" | 3 |
| low | Obfuscation | package/dist/tools/cache.js | matched "\\u2014" | 3 |
| low | Obfuscation | package/dist/cli/agents/claude-code.js | matched "\\u2014" | 3 |
| low | Obfuscation | package/dist/search/find-similar/crawl-rank.js | matched "\\u2014" | 3 |
| low | Obfuscation | package/dist/tools/crawl.js | matched "\\u2026" | 3 |
| low | Obfuscation | package/dist/cache/db.js | matched "\\u2014" | 3 |
| low | Obfuscation | package/dist/search/engines/devdocs.js | matched "\\u2014" | 3 |
| low | Obfuscation | package/dist/cli/doctor.js | matched "\\u2014" | 3 |
| low | Obfuscation | package/dist/embedding/embed.js | matched "\\u2014" | 3 |
| low | Obfuscation | package/dist/fetch/error-describe.js | matched "\\u2014" | 3 |
| low | Obfuscation | package/dist/tools/extract.js | matched "\\u2026" | 3 |
| low | Obfuscation | package/dist/search/v1/rss/feed-config.js | matched "\\u2014" | 3 |
| low | Obfuscation | package/dist/tools/fetch.js | matched "\\u2014" | 3 |
| low | Obfuscation | package/dist/cli/tui/format.js | matched "\\u2713" | 3 |
| low | Obfuscation | package/dist/repl/formatters.js | matched "\\u001b" | 3 |
| low | Obfuscation | package/dist/search/engines/github-code.js | matched "\\u2014" | 3 |
| low | Obfuscation | package/dist/cli/help.js | matched "\\u2014" | 3 |
| low | Obfuscation | package/dist/search/engines/hn-algolia.js | matched "\\xB7" | 3 |
| low | Obfuscation | package/dist/cli/init.js | matched "\\u2014" | 3 |
| low | Obfuscation | package/dist/cli/tui/ink-init.js | matched "\\u2713" | 3 |
| low | Obfuscation | package/dist/cli/tui/components/InstallProgress.js | matched "\\u25CB" | 3 |
| low | Obfuscation | package/dist/instructions.js | matched "\\u2014" | 3 |
| low | Obfuscation | package/dist/search/engines/lobsters.js | matched "\\xB7" | 3 |
| low | Obfuscation | package/dist/extraction/v1/local-llm.js | matched "\\u2014" | 3 |
| low | Obfuscation | package/dist/agent/pipeline.js | matched "\\u2014" | 3 |
| low | Obfuscation | package/dist/searxng/process.js | matched "\\u2014" | 3 |
| low | Obfuscation | package/dist/search/query.js | matched "\\u2014" | 3 |
| low | Obfuscation | package/dist/integrations/cloud/llm/run.js | matched "\\u2014" | 3 |
| low | Obfuscation | package/dist/cache/migrations/runner.js | matched "\\u2014" | 3 |
| low | Obfuscation | package/dist/search/legacy/searxng-orchestrator.js | matched "\\u2014" | 3 |
| low | Obfuscation | package/dist/server.js | matched "\\u2014" | 3 |
| low | Obfuscation | package/dist/cli/setup-mcp.js | matched "\\u2014" | 3 |
| low | Obfuscation | package/dist/cli/tui/components/SkillInstall.js | matched "\\u2713" | 3 |
| low | Obfuscation | package/dist/cli/tui/status-format.js | matched "\\u2713" | 3 |
| low | Obfuscation | package/dist/extraction/structured.js | matched "\\u2026" | 3 |
| low | Obfuscation | package/dist/cli/tui/components/Summary.js | matched "\\u2713" | 3 |
| low | Obfuscation | package/dist/cli/tui/components/SystemCheck.js | matched "\\u25CB" | 3 |
| low | Obfuscation | package/dist/server/tool-schemas.js | matched "\\u2014" | 3 |
| low | Obfuscation | package/dist/search/reranker/transformers-rerank-provider.js | matched "\\u2014" | 3 |
| low | Obfuscation | package/dist/cli/tui/tui-reporter.js | matched "\\u2588" | 3 |
| low | Obfuscation | package/dist/cli/uninstall.js | matched "\\u2713" | 3 |
| low | Obfuscation | package/dist/search/v1/v1-provider.js | matched "\\u2014" | 3 |
| low | Obfuscation | package/dist/cli/tui/components/Verification.js | matched "\\u25CB" | 3 |
| low | Obfuscation | package/dist/cli/warmup.js | matched "\\u2014" | 3 |
Manifest
Package metadata
Scripts16
bench:agenttsx benchmarks/agent/runner.tsbench:comparetsx --env-file-if-exists=.env benchmarks/extraction/compare.tsbench:embeddingtsx benchmarks/embedding/runner.tsbench:embedding:qualityRUN_FASTEMBED=1 tsx benchmarks/embedding/runner.tsbench:extractiontsx benchmarks/extraction/runner.tsbench:searchtsx benchmarks/search/runner.tsbuildtsup && tsc -p tsconfig.build.jsonbuild:watchtsup --watchdevtsx src/index.tslinttsc --noEmittestvitest runtest:e2evitest run tests/e2etest:integrationvitest run tests/integrationtest:perfvitest run --config vitest.perf.config.tstest:unitvitest run tests/unittest:watchvitest
Dependencies29
@anthropic-ai/sdk^0.91.1@google/genai^1.51.0@huggingface/transformers^4.2.0@iarna/toml^2.2.5@inkjs/ui^2.0.0@inquirer/prompts^7.10.1@modelcontextprotocol/sdk^1.29.0@mozilla/readability^0.6.0better-sqlite3^12.8.0boxen^8.0.1chalk^5.6.2cli-progress^3.12.0defuddle^0.16.0fastembed^2.1.0gpt-tokenizer^3.4.0groq-sdk^1.1.2ink^5.2.1ink-big-text^2.0.0ink-gradient^3.0.0linkedom^0.18.12onnxruntime-node1.21.0openai^6.35.0ora^9.3.0pdf-parse^2.4.5playwright^1.59.1react^18.3.1sqlite-vec^0.1.9tinyld^1.3.4turndown^7.2.4