Package evidence

@syx0310/[email protected]

Known Indicator Filename: package/build/src/stealth.js

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads: 52
Versions published: 13
First published: Feb 2026
Publisher: syx0310

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@syx0310/[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@syx0310/[email protected]"],"fail_on":"high"}'

Publishersyx0310

Artifact bytes2,537,792

Previous version0.20.4

Published2026-03-23T06:49:38.853Z

SHA-256468bca50831d802bf6a953fbe36cd003d338baab23e8b7c3b2954d6d70b6dda6

Why flagged

What the scanner saw

Known Indicator Filename: package/build/src/stealth.js

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

high

29h agoLast checked

highRisk

45Score

0.20.5Version

Status history (1 event)

new → available29h ago · risk high · score 45 · status changed

Evidence

Static findings

1 static · 0 from release diff · showing high-signal first.

Severity	Kind	Path	Detail	Points
high	Known Indicator Filename	package/build/src/stealth.js	package/build/src/stealth.js	45

Manifest

Package metadata

Scripts21

buildtsc && node --experimental-strip-types --no-warnings=ExperimentalWarning scripts/post-build.ts
bundlenpm run clean && npm run build && rollup -c rollup.config.mjs && node -e "require('fs').rmSync('build/node_modules', {recursive: true, force: true})" && node --experimental-strip-types scripts/append-lighthouse-notices.ts && node -e "const f='build/src/third_party/lighthouse-devtools-mcp-bundle.js';require('fs').writeFileSync(f,require('fs').readFileSync(f,'utf8').replace('import puppeteer from \"puppeteer-core\";','import { puppeteer } from \"./index.js\";'))"
check-formateslint --cache . && prettier --check --cache .;
cleannode -e "require('fs').rmSync('build', {recursive: true, force: true})"
cli:generatenode --experimental-strip-types scripts/generate-cli.ts
count-tokensnode --experimental-strip-types scripts/count_tokens.ts
docs:generatenode --experimental-strip-types scripts/generate-docs.ts
evalnpm run build && node --experimental-strip-types scripts/eval_gemini.ts
formateslint --cache --fix . && prettier --write --cache .
gennpm run build && npm run docs:generate && npm run cli:generate && npm run format
preparenode --experimental-strip-types scripts/prepare.ts
startnpm run build && node build/src/index.js
start-debugDEBUG=mcp:* DEBUG_COLORS=false npm run build && node build/src/index.js
testnpm run build && node scripts/test.mjs
test:no-buildnode scripts/test.mjs
test:onlynpm run build && node scripts/test.mjs --test-only
test:update-snapshotsnpm run build && node scripts/test.mjs --test-update-snapshots
typechecktsc --noEmit
update-lighthousenode --experimental-strip-types scripts/update-lighthouse.ts
verify-npm-packagenode scripts/verify-npm-package.mjs
verify-server-json-versionnode --experimental-strip-types scripts/verify-server-json-version.ts