PkgRadar

Package evidence

@xopcai/[email protected]

Known Indicator Filename: package/dist/src/browser/stealth.js

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
1,173Niche · −30% score
Versions published
81
First published
Apr 2026
Publisher
xopcai

Effective trust discount applied: 30% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@xopcai/[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@xopcai/[email protected]"],"fail_on":"high"}'
Publisherxopcai
Artifact bytes15,147,969
Previous version0.0.75
Published2026-05-30T00:53:43.751Z
SHA-256e18733593eedc3b87695be7859105b90971a412b4451b25bd3a06d38fb92b2d2

Why flagged

What the scanner saw

Known Indicator Filename: package/dist/src/browser/stealth.js

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

high
Last checked
highRisk
42Score
0.0.77Version
Status history (3 events)
  1. availableavailable · risk high · score 42 · status available -> available, risk high -> high, score 60 -> 42
  2. availableavailable · risk high · score 60 · status available -> available, risk high -> high, score 42 -> 60
  3. newavailable · risk high · score 42 · status changed

Evidence

Static findings

5 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
highKnown Indicator Filenamepackage/dist/src/browser/stealth.jspackage/dist/src/browser/stealth.js45
Show all 5 findings (low-signal and informational)
SeverityKindPathDetailPoints
highKnown Indicator Filenamepackage/dist/src/browser/stealth.jspackage/dist/src/browser/stealth.js45
lowCredential file accesspackage/dist/src/providers/env-keys.jsmatched "AWS_ACCESS_KEY"5
lowCredential file accesspackage/dist/src/infra/host-env-security-policy.jsmatched "GOOGLE_APPLICATION_CREDENTIALS"5
lowCredential file accesspackage/dist/src/agent/sandbox/path-policy.jsmatched ".npmrc"5
lowLarge Javascript Payloadpackage/dist/gateway/static/root/assets/index-ChiUhJAs.js3277025 bytes0

Manifest

Package metadata

Scripts40
  • buildpnpm run generate:bundled && pnpm run build:node && pnpm run build:types && pnpm run build:web
  • build:cipnpm run generate:bundled && pnpm run build:node && pnpm run build:web
  • build:extensions-uinode scripts/build-extensions-ui.mjs
  • build:nodenode scripts/tsdown-build.mjs
  • build:typestsc -p tsconfig.dts.json
  • build:webpnpm -C web run build
  • devtsx src/cli/bin.ts
  • dev:webpnpm -C web run dev
  • docs:buildvitepress build docs
  • docs:devvitepress dev docs
  • docs:extension-sdkpnpm -C packages/extension-ui-sdk run docs
  • docs:previewvitepress preview docs
  • electron:buildpnpm run electron:vite:build && pnpm run electron:server:build && pnpm run electron:package
  • electron:devcross-env ELECTRON_ENTRY=out/main/index.js electron-vite dev
  • electron:frpc:downloadnode --import tsx/esm scripts/download-frpc-binaries.mjs
  • electron:frpc:download:allnode --import tsx/esm scripts/download-frpc-binaries.mjs --all
  • electron:packagenode scripts/electron-builder.mjs
  • electron:previewcross-env ELECTRON_ENTRY=out/main/index.js electron-vite preview
  • electron:server:buildnode scripts/build-electron-server.mjs
  • electron:vite:buildcross-env ELECTRON_ENTRY=out/main/index.js electron-vite build
  • generate:bundledpnpm run generate:bundled-channels && pnpm run generate:bundled-image-providers
  • generate:bundled-channelsnode scripts/generate-bundled-channel-plugins.mjs
  • generate:bundled-image-providersnode scripts/generate-bundled-image-providers.mjs
  • linteslint && pnpm -C web run lint
  • pack:browser-extpnpm -C packages/browser-ext run pack
  • release:patchbash scripts/release-patch.sh
  • skills:securitytsx src/cli/bin.ts skills test security
  • skills:testtsx src/cli/bin.ts skills test
  • skills:validatetsx src/cli/bin.ts skills test validate
  • startnode dist/src/cli/bin.js
  • …and 10 more.
Dependencies44
  • @earendil-works/pi-agent-core^0.77.0
  • @earendil-works/pi-ai^0.77.0
  • @earendil-works/pi-coding-agent0.77.0
  • @earendil-works/pi-tui^0.77.0
  • @grammyjs/runner^2.0.3
  • @hono/node-server^2.0.4
  • @inquirer/prompts^8.5.0
  • @larksuiteoapi/node-sdk^1.66.0
  • @modelcontextprotocol/sdk1.29.0
  • @mozilla/readability^0.6.0
  • @sinclair/typebox^0.34.49
  • @vscode/ripgrep^1.18.0
  • abort-controller^3.0.0
  • adm-zip^0.5.17
  • ajv^8.20.0
  • chalk^5.6.2
  • chromium-bidi15.0.0
  • cli-table3^0.6.5
  • commander^14.0.3
  • cron-parser^5.5.0
  • dotenv^17.4.2
  • electron-updater^6.8.3
  • glob^13.0.6
  • grammy^1.43.0
  • hono^4.12.23
  • jiti^2.7.0
  • js-yaml^4.1.1
  • jsdom^29.1.1
  • markdown-it^14.2.0
  • node-cron^4.2.1
  • …and 14 more.