Package evidence

@windmill-labs/[email protected]

Install Lifecycle Remote Or Exec: postinstall="node -e \"if (require('fs').existsSync('./scripts/untar_ui_builder.js')) { require('child_process').execSync('node ./scripts/untar_ui_builder.js', {stdio: 'inherit'}) }\""

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published: 7
First published: May 2026
Publisher: rubenfiszel

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@windmill-labs/[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@windmill-labs/[email protected]"],"fail_on":"high"}'

Publisherrubenfiszel

Artifact bytes3,591,037

Previous version1.706.3

Published2026-05-22T17:19:38.408Z

SHA-25617859fe46c3befcfdc0964831838d74442f5a4e6f8c7749da42ec483d10eac12

Why flagged

What the scanner saw

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

high

14h agoLast checked

highRisk

45Score

1.706.4Version

Status history (1 event)

new → available14h ago · risk high · score 45 · status changed

Evidence

Static findings

6 static · 0 from release diff · showing high-signal first.

Severity	Kind	Path	Detail	Points
high	Install Lifecycle Remote Or Exec	package.json	postinstall="node -e \"if (require('fs').existsSync('./scripts/untar_ui_builder.js')) { require('child_process').execSync('node ./scripts/untar_ui_builder.js', {stdio: 'inherit'}) }\""	30
medium	New Account With Lifecycle Hook	package.json	package first published 17 day(s) ago, 7 total version(s), has lifecycle hook	10

Show all 6 findings (low-signal and informational)

Severity	Kind	Path	Detail	Points
high	Install Lifecycle Remote Or Exec	package.json	postinstall="node -e \"if (require('fs').existsSync('./scripts/untar_ui_builder.js')) { require('child_process').execSync('node ./scripts/untar_ui_builder.js', {stdio: 'inherit'}) }\""	30
medium	New Account With Lifecycle Hook	package.json	package first published 17 day(s) ago, 7 total version(s), has lifecycle hook	10
low	Credential file access	package/package/components/instanceSettings.js	matched ".npmrc"	5
low	Credential file access	package/package/system_prompts/prompts.js	matched "aws_access_key"	5
low	Install-time lifecycle script	package.json	postinstall="node -e \"if (require('fs').existsSync('./scripts/untar_ui_builder.js')) { require('child_process').execSync('node ./scripts/untar_ui_builder.js', {stdio: 'inherit'}) }\""	5
low	Obfuscation Density	package/package/components/propertyPicker/utils.js	high encoded/escaped-token density	0

Manifest

Package metadata

Scripts17

buildvite build
build:utilsvite build --config sharedUtils/vite.sharedUtils.config.js
checksvelte-kit sync && svelte-check --tsconfig ./tsconfig.json --threshold warning
check:fastbun --bun svelte-fast-check --no-svelte-warnings --incremental
check:watchsvelte-kit sync && svelte-check --tsconfig ./tsconfig.json --watch
devvite dev
filter-classesnode filterTailwindClasses.js
formatprettier --ignore-path .gitignore --write --plugin-search-dir=. .
generate-backend-clientopenapi-ts --input ../backend/windmill-api/openapi.yaml --output ./src/lib/gen --useOptions --enums javascript --format false
generate-backend-client-macopenapi-ts --input ../backend/windmill-api/openapi.yaml --output ./src/lib/gen --useOptions --enums javascript
lintprettier --ignore-path .gitignore --check --plugin-search-dir=. . && eslint --ignore-path .gitignore .
packagesvelte-package -o package && node scripts/package-system-prompts.js
postinstallnode -e "if (require('fs').existsSync('./scripts/untar_ui_builder.js')) { require('child_process').execSync('node ./scripts/untar_ui_builder.js', {stdio: 'inherit'}) }"
pretesttsc --incremental -p tests/tsconfig.json
previewvite preview
test:e2eplaywright test
test:unitvitest

Dependencies90

@anthropic-ai/sdk^0.60.0
@aws-crypto/sha256-js^4.0.0
@codingame/monaco-vscode-editor-api=25.0.0
@codingame/monaco-vscode-languages-service-override=25.0.0
@codingame/monaco-vscode-standalone-css-language-features=25.0.0
@codingame/monaco-vscode-standalone-html-language-features=25.0.0
@codingame/monaco-vscode-standalone-json-language-features=25.0.0
@codingame/monaco-vscode-standalone-languages=25.0.0
@codingame/monaco-vscode-standalone-typescript-language-features=25.0.0
@json2csv/plainjs^7.0.6
@leeoniya/ufuzzy^1.0.8
@popperjs/core^2.11.8
@redocly/json-to-json-schema^0.0.1
@scalar/openapi-parser^0.15.0
@tanstack/svelte-tablenpm:tanstack-table-8-svelte-5@^0.1
@tutorlatin/svelte-tiny-virtual-list^3.0.16
@windmill-labs/svelte-dnd-action^0.9.44
@xterm/addon-fit^0.10.0
@xyflow/svelte^1.0.0
ag-charts-community^9.0.1
ag-charts-enterprise^9.0.1
ag-grid-community^31.3.4
ag-grid-enterprise^31.3.4
ansi_up^6.0.6
chart.js^4.4.6
chartjs-adapter-date-fns^3.0.0
chartjs-plugin-zoom^2.0.0
clone^2.1.2
d3-zoom^3.0.0
date-fns^2.30.0
…and 60 more.

Optional dependencies2

@rollup/rollup-linux-x64-gnu^4.35.0
fsevents^2.3.3