Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Weekly downloads
- 64
- Versions published
- 2
- First published
- May 2026
- Publisher
- vnaren23
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["@uipath/[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["@uipath/[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Remote Payload: matched "Curl "
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 172 · status changed
Evidence
Static findings
245 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Remote Payload | package/chunk-7HG3KS7V.js | matched "Curl " | 12 |
| medium | Obfuscation Density | package/chunk-7LF7TUYR.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/chunk-AV2XMJZK.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/chunk-DP4VB7EI.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/chunk-JA4SO6QN.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/chunk-LE344D6P.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/chunk-OCJB2TQU.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/chunk-Q3TZ5E3J.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/chunk-QSPXPEUM.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/chunk-RQKBBL3R.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/chunk-X3MDAFQV.js | high encoded/escaped-token density | 12 |
| medium | Large Javascript Payload | package/chunk-5LGMGLPM.js | 2628024 bytes | 10 |
Show all 245 findings (low-signal and informational)
Showing 60 of 245 findings.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Remote Payload | package/chunk-7HG3KS7V.js | matched "Curl " | 12 |
| medium | Obfuscation Density | package/chunk-7LF7TUYR.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/chunk-AV2XMJZK.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/chunk-DP4VB7EI.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/chunk-JA4SO6QN.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/chunk-LE344D6P.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/chunk-OCJB2TQU.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/chunk-Q3TZ5E3J.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/chunk-QSPXPEUM.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/chunk-RQKBBL3R.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/chunk-X3MDAFQV.js | high encoded/escaped-token density | 12 |
| medium | Large Javascript Payload | package/chunk-5LGMGLPM.js | 2628024 bytes | 10 |
| low | Obfuscation | package/chunk-22FB6FDO.js | matched "\\xE9" | 3 |
| low | Obfuscation | package/chunk-26HBXFOF.js | matched "\\xED" | 3 |
| low | Obfuscation | package/chunk-2OT5DL67.js | matched "\\u016D" | 3 |
| low | Obfuscation | package/chunk-35P35R4B.js | matched "\\u2019" | 3 |
| low | Obfuscation | package/chunk-35SAPIPO.js | matched "\\xED" | 3 |
| low | Obfuscation | package/chunk-35UVHQNZ.js | matched "\\u2019" | 3 |
| low | Obfuscation | package/chunk-3CXBWJMK.js | matched "\\xF6" | 3 |
| low | Obfuscation | package/chunk-3JRA4PLP.js | matched "\\xE4" | 3 |
| low | Obfuscation | package/chunk-44Y6LCGU.js | matched "\\xFC" | 3 |
| low | Obfuscation | package/chunk-4DL5ZETN.js | matched "\\u0275" | 3 |
| low | Obfuscation | package/chunk-4EEYDUIP.js | matched "\\u014D" | 3 |
| low | Obfuscation | package/chunk-4EVFFVML.js | matched "\\xFD" | 3 |
| low | Obfuscation | package/chunk-4N3AI4FW.js | matched "\\u017D" | 3 |
| low | Obfuscation | package/chunk-4RC3DPEI.js | matched "\\u0275" | 3 |
| low | Obfuscation | package/chunk-4V2KJNDT.js | matched "\\xFC" | 3 |
| low | Obfuscation | package/chunk-5273O2DN.js | matched "\\xCE" | 3 |
| low | Obfuscation | package/chunk-5BQKAR6A.js | matched "\\xE7" | 3 |
| low | Obfuscation | package/chunk-5MT5VRIU.js | matched "\\xE3" | 3 |
| low | Obfuscation | package/chunk-5ORJAWGA.js | matched "\\xF4" | 3 |
| low | Obfuscation | package/chunk-5ORQKHAE.js | matched "\\xE5" | 3 |
| low | Obfuscation | package/chunk-5YPRY6TZ.js | matched "\\u2019" | 3 |
| low | Obfuscation | package/chunk-64N3X35N.js | matched "\\u2019" | 3 |
| low | Obfuscation | package/chunk-67OCW6FB.js | matched "\\xE5" | 3 |
| low | Obfuscation | package/chunk-6AEFIYR5.js | matched "\\u0275" | 3 |
| low | Obfuscation | package/chunk-6MB4C432.js | matched "\\u010D" | 3 |
| low | Obfuscation | package/chunk-6NRLHSPV.js | matched "\\xE9" | 3 |
| low | Obfuscation | package/chunk-6PRA22X5.js | matched "\\xE1" | 3 |
| low | Obfuscation | package/chunk-6TRN24WM.js | matched "\\u2019" | 3 |
| low | Obfuscation | package/chunk-6XPGXWNC.js | matched "\\u0101" | 3 |
| low | Obfuscation | package/chunk-6YDBCCFI.js | matched "\\xEB" | 3 |
| low | Obfuscation | package/chunk-73XD4VKN.js | matched "\\u0101" | 3 |
| low | Obfuscation | package/chunk-76JEL4MT.js | matched "\\xE4" | 3 |
| low | Obfuscation | package/chunk-7EQRZSTI.js | matched "\\xE8" | 3 |
| low | Obfuscation | package/chunk-7FN55G7Q.js | matched "\\u2019" | 3 |
| low | Obfuscation | package/chunk-7GO2RJNZ.js | matched "\\u016D" | 3 |
| low | Obfuscation | package/chunk-7HG3KS7V.js | matched "\\u2019" | 3 |
| low | Obfuscation | package/chunk-7LF7TUYR.js | matched "\\u01B0" | 3 |
| low | Obfuscation | package/chunk-7XMORYEY.js | matched "\\u0275" | 3 |
| low | Obfuscation | package/chunk-AE2CAJJW.js | matched "\\u0259" | 3 |
| low | Obfuscation | package/chunk-AEGGUDJL.js | matched "\\xF4" | 3 |
| low | Obfuscation | package/chunk-AEHI5GGR.js | matched "\\u1E29" | 3 |
| low | Obfuscation | package/chunk-ALRAVU4V.js | matched "\\xF4" | 3 |
| low | Obfuscation | package/chunk-AO6PUCC2.js | matched "\\xE8" | 3 |
| low | Obfuscation | package/chunk-AOEYLDSC.js | matched "\\u2019" | 3 |
| low | Obfuscation | package/chunk-AV2XMJZK.js | matched "\\u0E19" | 3 |
| low | Obfuscation | package/chunk-AWSJJEP7.js | matched "\\u0101" | 3 |
| low | Obfuscation | package/chunk-B3JIB7CB.js | matched "\\xE4" | 3 |
| low | Obfuscation | package/chunk-B433VOZ4.js | matched "\\xE9" | 3 |