PkgRadar

Package evidence

@xopcai/[email protected]

Known Indicator Filename: package/dist/src/browser/stealth.js

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published
79
First published
Apr 2026
Publisher
xopcai

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@xopcai/[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@xopcai/[email protected]"],"fail_on":"high"}'
Publisherxopcai
Artifact bytes7,713,881
Previous version0.0.90
Published2026-06-10T10:57:30.879Z
SHA-2560a55334435dc869a1f93aa3c9597c6b09ba614973fdaa7adc93f7f35eaa3cea4

Why flagged

What the scanner saw

Known Indicator Filename: package/dist/src/browser/stealth.js

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

high
Last checked
highRisk
60Score
0.0.91Version
Status history (1 event)
  1. newavailable · risk high · score 60 · status changed

Evidence

Static findings

5 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
highKnown Indicator Filenamepackage/dist/src/browser/stealth.jspackage/dist/src/browser/stealth.js45
Show all 5 findings (low-signal and informational)
SeverityKindPathDetailPoints
highKnown Indicator Filenamepackage/dist/src/browser/stealth.jspackage/dist/src/browser/stealth.js45
lowCredential file accesspackage/dist/src/providers/env-keys.jsmatched "AWS_ACCESS_KEY"5
lowCredential file accesspackage/dist/src/infra/host-env-security-policy.jsmatched "GOOGLE_APPLICATION_CREDENTIALS"5
lowCredential file accesspackage/dist/src/agent/sandbox/path-policy.jsmatched ".npmrc"5
lowLarge Javascript Payloadpackage/dist/gateway/static/root/assets/index-CKkR-v9U.js3550376 bytes0

Manifest

Package metadata

Scripts47
  • buildpnpm run generate:bundled && pnpm run build:node && pnpm run build:types && pnpm run build:web
  • build:cipnpm run generate:bundled && pnpm run build:node && pnpm run build:web
  • build:extensions-uinode scripts/build-extensions-ui.mjs
  • build:nodenode scripts/tsdown-build.mjs
  • build:typestsc -p tsconfig.dts.json
  • build:webpnpm -C web run build
  • depcheckdepcruise --config .dependency-cruiser.cjs src
  • depcheck:archidepcruise --config .dependency-cruiser.cjs --output-type archi src > docs/dependency-archi.dot
  • depcheck:graphdepcruise --config .dependency-cruiser.cjs --output-type mermaid src > docs/dependency-graph.mmd
  • depcheck:htmldepcruise --config .dependency-cruiser.cjs --output-type err-html src > docs/dependency-violations.html
  • devtsx src/cli/bin.ts
  • dev:webpnpm -C web run dev
  • docs:buildvitepress build docs
  • docs:devvitepress dev docs
  • docs:extension-sdkpnpm -C packages/extension-ui-sdk run docs
  • docs:previewvitepress preview docs
  • electron:buildpnpm run electron:vite:build:package && pnpm run electron:server:build && pnpm run electron:package
  • electron:devcross-env ELECTRON_ENTRY=out/main/index.js electron-vite dev
  • electron:frpc:downloadnode --import tsx/esm scripts/download-frpc-binaries.mjs
  • electron:frpc:download:allnode --import tsx/esm scripts/download-frpc-binaries.mjs --all
  • electron:packagenode scripts/electron-builder.mjs
  • electron:previewcross-env ELECTRON_ENTRY=out/main/index.js electron-vite preview
  • electron:server:buildnode scripts/build-electron-server.mjs
  • electron:vite:buildcross-env ELECTRON_ENTRY=out/main/index.js electron-vite build
  • electron:vite:build:packagecross-env ELECTRON_ENTRY=out/main/index.js ELECTRON_VITE_SKIP_RENDERER=1 electron-vite build
  • generate:bundledpnpm run generate:bundled-channels && pnpm run generate:bundled-image-providers
  • generate:bundled-channelsnode scripts/generate-bundled-channel-plugins.mjs
  • generate:bundled-image-providersnode scripts/generate-bundled-image-providers.mjs
  • linteslint && pnpm -C web run lint
  • pack:browser-extpnpm -C packages/browser-ext run pack
  • …and 17 more.
Dependencies42
  • @earendil-works/pi-agent-core^0.78.1
  • @earendil-works/pi-ai^0.78.1
  • @earendil-works/pi-coding-agent^0.78.1
  • @earendil-works/pi-tui^0.78.1
  • @grammyjs/runner^2.0.3
  • @hono/node-server^2.0.4
  • @inquirer/prompts^8.5.0
  • @larksuiteoapi/node-sdk^1.66.0
  • @modelcontextprotocol/sdk1.29.0
  • @mozilla/readability^0.6.0
  • @sinclair/typebox^0.34.49
  • @vscode/ripgrep^1.18.0
  • abort-controller^3.0.0
  • acorn^8.16.0
  • adm-zip^0.5.17
  • ajv^8.20.0
  • chalk^5.6.2
  • cli-table3^0.6.5
  • commander^14.0.3
  • cron-parser^5.5.0
  • dotenv^17.4.2
  • electron-updater^6.8.3
  • glob^13.0.6
  • grammy^1.43.0
  • hono^4.12.23
  • jiti^2.7.0
  • js-yaml^4.1.1
  • jsdom^29.1.1
  • markdown-it^14.2.0
  • node-cron^4.2.1
  • …and 12 more.