Package evidence
@zantarix/[email protected]
Known Indicator Filename: package/node_modules/@sigstore/bundle/dist/bundle.js
Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Publisher
- GitHub ActionsTrusted automation · −70% score
Effective trust discount applied: −70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Block this updateStatic evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["@zantarix/[email protected]"],"fail_on":"high"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["@zantarix/[email protected]"],"fail_on":"high"}'Why flagged
What the scanner saw
Known Indicator Filename: package/node_modules/@sigstore/bundle/dist/bundle.js
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk high · score 412 · status changed
Related candidates
Linked campaigns and clusters
Known Indicator Filename — package/node_modules/@sigstore/sign/dist/bundler/bundle.js
4 members · evidence strength 90Known Indicator Filename — package/node_modules/@sigstore/bundle/dist/bundle.js
4 members · evidence strength 90Install-time lifecycle script — postinstall="node --input-type=module --eval \"import{existssync}from'node:fs';if(!existssync('./src'))await import('./bin/download-binary.js')\""
2 members · evidence strength 70Install Lifecycle Remote Or Exec — postinstall="node --input-type=module --eval \"import{existssync}from'node:fs';if(!existssync('./src'))await import('./bin/download-binary.js')\""
2 members · evidence strength 70Install Lifecycle Remote Or Exec — postinstall="node --input-type=module --eval \"import{existsSync}from'node:fs';if(!existsSync('./src'))await import('./bin/download-binary.js')\""
2 members · evidence strength 70Install-time lifecycle script — postinstall="node --input-type=module --eval \"import{existsSync}from'node:fs';if(!existsSync('./src'))await import('./bin/download-binary.js')\""
2 members · evidence strength 70Evidence
Static findings
55 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | Known Indicator Filename | package/node_modules/@sigstore/bundle/dist/bundle.js | package/node_modules/@sigstore/bundle/dist/bundle.js | 45 |
| high | Known Indicator Filename | package/node_modules/@sigstore/sign/dist/bundler/bundle.js | package/node_modules/@sigstore/sign/dist/bundler/bundle.js | 45 |
| high | DNS / OAST exfiltration | package/node_modules/@npmcli/agent/lib/dns.js | matched "dns.lookup" | 30 |
| high | DNS / OAST exfiltration | package/node_modules/socks-proxy-agent/dist/index.js | matched "dns.lookup" | 30 |
| high | DNS / OAST exfiltration | package/node_modules/make-fetch-happen/lib/options.js | matched "dns.lookup" | 30 |
| high | Install-time lifecycle script | package.json | postinstall="node --input-type=module --eval \"import{existsSync}from'node:fs';if(!existsSync('./src'))await import('./bin/download-binary.js')\"" | 30 |
| high | Install Lifecycle Remote Or Exec | package.json | postinstall="node --input-type=module --eval \"import{existsSync}from'node:fs';if(!existsSync('./src'))await import('./bin/download-binary.js')\"" | 30 |
| medium | Remote Payload | package/bin/download-binary.js | matched "github.com/zantarix/cursus/releases/download" | 12 |
| medium | Remote Payload | package/node_modules/minipass-fetch/lib/index.js | matched "cURL " | 12 |
| medium | Obfuscation Density | package/node_modules/iconv-lite/encodings/sbcs-data-generated.js | high encoded/escaped-token density | 12 |
Show all 55 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | Known Indicator Filename | package/node_modules/@sigstore/bundle/dist/bundle.js | package/node_modules/@sigstore/bundle/dist/bundle.js | 45 |
| high | Known Indicator Filename | package/node_modules/@sigstore/sign/dist/bundler/bundle.js | package/node_modules/@sigstore/sign/dist/bundler/bundle.js | 45 |
| high | DNS / OAST exfiltration | package/node_modules/@npmcli/agent/lib/dns.js | matched "dns.lookup" | 30 |
| high | DNS / OAST exfiltration | package/node_modules/socks-proxy-agent/dist/index.js | matched "dns.lookup" | 30 |
| high | DNS / OAST exfiltration | package/node_modules/make-fetch-happen/lib/options.js | matched "dns.lookup" | 30 |
| high | Install-time lifecycle script | package.json | postinstall="node --input-type=module --eval \"import{existsSync}from'node:fs';if(!existsSync('./src'))await import('./bin/download-binary.js')\"" | 30 |
| high | Install Lifecycle Remote Or Exec | package.json | postinstall="node --input-type=module --eval \"import{existsSync}from'node:fs';if(!existsSync('./src'))await import('./bin/download-binary.js')\"" | 30 |
| medium | Remote Payload | package/bin/download-binary.js | matched "github.com/zantarix/cursus/releases/download" | 12 |
| medium | Remote Payload | package/node_modules/minipass-fetch/lib/index.js | matched "cURL " | 12 |
| medium | Obfuscation Density | package/node_modules/iconv-lite/encodings/sbcs-data-generated.js | high encoded/escaped-token density | 12 |
| low | Install-time lifecycle script | package.json | prepare="tsc" | 4 |
| low | Obfuscation | package/node_modules/@sigstore/protobuf-specs/dist/__generated__/google/protobuf/any.js | matched "Buffer.from(bytesFromBase64" | 3 |
| low | Obfuscation | package/node_modules/minipass-fetch/lib/blob.js | matched "\\u0020" | 3 |
| low | Obfuscation | package/node_modules/iconv-lite/lib/bom-handling.js | matched "\\uFEFF" | 3 |
| low | Obfuscation | package/node_modules/@sigstore/verify/dist/tlog/checkpoint.js | matched "\\u2014" | 3 |
| low | Obfuscation | package/node_modules/@sigstore/tuf/dist/client.js | matched "Buffer.from(repoSeed['root.json'], 'base64" | 3 |
| low | Obfuscation | package/node_modules/@sigstore/core/dist/crypto.js | matched "Buffer.from(key, 'base64" | 3 |
| low | Obfuscation | package/node_modules/iconv-lite/encodings/dbcs-data.js | matched "\\u00a5" | 3 |
| low | Obfuscation | package/node_modules/@sigstore/protobuf-specs/dist/__generated__/google/protobuf/descriptor.js | matched "Buffer.from(bytesFromBase64" | 3 |
| low | Obfuscation | package/bin/download-binary.js | matched "Buffer.from(payloadB64, 'base64" | 3 |
| low | Obfuscation | package/node_modules/@sigstore/verify/dist/tlog/dsse.js | matched "Buffer.from(tlogSig, 'base64" | 3 |
| low | Obfuscation | package/node_modules/@sigstore/core/dist/encoding.js | matched "Buffer.from(str, BASE64" | 3 |
| low | Obfuscation | package/node_modules/@sigstore/protobuf-specs/dist/__generated__/envelope.js | matched "Buffer.from(bytesFromBase64" | 3 |
| low | Obfuscation | package/node_modules/@sigstore/protobuf-specs/dist/__generated__/events.js | matched "Buffer.from(bytesFromBase64" | 3 |
| low | Obfuscation | package/node_modules/@sigstore/protobuf-specs/dist/__generated__/rekor/v2/hashedrekord.js | matched "Buffer.from(bytesFromBase64" | 3 |
| low | Obfuscation | package/node_modules/@sigstore/verify/dist/tlog/hashedrekord.js | matched "Buffer.from(tlogSig, 'base64" | 3 |
| low | Obfuscation | package/node_modules/minipass-fetch/lib/headers.js | matched "\\x20" | 3 |
| low | Obfuscation | package/node_modules/@sigstore/sign/dist/witness/tlog/index.js | matched "Buffer.from(entry.body, 'base64" | 3 |
| low | Obfuscation | package/node_modules/@tufjs/models/node_modules/brace-expansion/dist/commonjs/index.js | matched "fromCharCode" | 3 |
| low | Obfuscation | package/node_modules/@tufjs/models/node_modules/brace-expansion/dist/esm/index.js | matched "fromCharCode" | 3 |
| low | Obfuscation | package/node_modules/glob/node_modules/brace-expansion/dist/commonjs/index.js | matched "fromCharCode" | 3 |
| low | Obfuscation | package/node_modules/glob/node_modules/brace-expansion/dist/esm/index.js | matched "fromCharCode" | 3 |
| low | Obfuscation | package/node_modules/iconv-lite/lib/index.js | matched "\\u0100" | 3 |
| low | Obfuscation | package/node_modules/minipass-fetch/lib/index.js | matched "Buffer.from(rawData, 'base64" | 3 |
| low | Obfuscation | package/node_modules/ssri/lib/index.js | matched "\\x21" | 3 |
| low | Obfuscation | package/node_modules/glob/dist/commonjs/index.min.js | matched "fromCharCode" | 3 |
| low | Obfuscation | package/node_modules/glob/dist/esm/index.min.js | matched "fromCharCode" | 3 |
| low | Obfuscation | package/node_modules/iconv-lite/encodings/internal.js | matched "Buffer.from(str, \"base64" | 3 |
| low | Obfuscation | package/node_modules/@sigstore/verify/dist/tlog/intoto.js | matched "Buffer.from(tlogSig, 'base64" | 3 |
| low | Obfuscation | package/node_modules/debug/src/node.js | matched "\\u001B" | 3 |
| low | Obfuscation | package/node_modules/@sigstore/core/dist/pem.js | matched "Buffer.from(der, 'base64" | 3 |
| low | Obfuscation | package/node_modules/iconv-lite/encodings/sbcs-codec.js | matched "fromCharCode" | 3 |
| low | Obfuscation | package/node_modules/iconv-lite/encodings/sbcs-data-generated.js | matched "\\u0000" | 3 |
| low | Obfuscation | package/node_modules/iconv-lite/encodings/sbcs-data.js | matched "\\x80" | 3 |
| low | Obfuscation | package/node_modules/@sigstore/protobuf-specs/dist/__generated__/sigstore_common.js | matched "Buffer.from(bytesFromBase64" | 3 |
| low | Obfuscation | package/node_modules/@sigstore/protobuf-specs/dist/__generated__/sigstore_rekor.js | matched "Buffer.from(bytesFromBase64" | 3 |
| low | Obfuscation | package/node_modules/@sigstore/protobuf-specs/dist/__generated__/sigstore_verification.js | matched "Buffer.from(bytesFromBase64" | 3 |
| low | Obfuscation | package/node_modules/safer-buffer/tests.js | matched "Buffer.from('b25ldHdvdGhyZWU=', 'base64" | 3 |
| low | Obfuscation | package/node_modules/iconv-lite/encodings/utf7.js | matched "fromCharCode" | 3 |
| low | Obfuscation | package/node_modules/@sigstore/protobuf-specs/dist/__generated__/rekor/v2/verifier.js | matched "Buffer.from(bytesFromBase64" | 3 |
| low | Obfuscation | package/node_modules/iconv-lite/encodings/tables/cp936.json | matched "\\u0000" | 3 |
| low | Obfuscation | package/node_modules/iconv-lite/encodings/tables/cp949.json | matched "\\u0000" | 3 |
| low | Obfuscation | package/node_modules/iconv-lite/encodings/tables/cp950.json | matched "\\u0000" | 3 |
| low | Obfuscation | package/node_modules/iconv-lite/encodings/tables/eucjp.json | matched "\\u0000" | 3 |
| low | Obfuscation | package/node_modules/iconv-lite/encodings/tables/shiftjis.json | matched "\\u0000" | 3 |
Manifest
Package metadata
Scripts5
buildtsccleanrm -rf binpostinstallnode --input-type=module --eval "import{existsSync}from'node:fs';if(!existsSync('./src'))await import('./bin/download-binary.js')"preparetsctesteslint src
Dependencies1
sigstore4.1.1