Package evidence

@zenalexa/[email protected]

Known Indicator Filename: package/dist/browser/stealth.js

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published: 38
First published: Apr 2026
Publisher: GitHub ActionsTrusted automation · −70% score

Effective trust discount applied: −70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@zenalexa/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@zenalexa/[email protected]"],"fail_on":"review"}'

PublisherGitHub Actions

Artifact bytes2,665,290

Previous version0.225.0

Published2026-06-02T18:06:58.265Z

SHA-2564e3df78a4176b9d1ee2cfd8385de708accf7e01478e7b2545b16ebd7a99bfd16

Why flagged

What the scanner saw

Known Indicator Filename: package/dist/browser/stealth.js

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review

10d agoLast checked

reviewRisk

27Score

0.225.1Version

Status history (1 event)

new → available10d ago · risk review · score 27 · status changed

Evidence

Static findings

2 static · 0 from release diff · showing high-signal first.

Severity	Kind	Path	Detail	Points
high	Known Indicator Filename	package/dist/browser/stealth.js	package/dist/browser/stealth.js	45
high	Known Indicator Filename	package/src/adapters/amazon/discussion.yaml	package/src/adapters/amazon/discussion.yaml	45

Manifest

Package metadata

Scripts59

adapter:bootstraptsx scripts/bootstrap-adapter-tests.ts
adapter:healthtsx scripts/adapter-health-probe.ts
benchtsx bench/report.ts
bench:agenttsx bench/agent/sdk-runner.ts
bench:gatenode scripts/bench/check-ship-gate.js
bench:quicktsx bench/agent/report.ts
bench:self-discoverytsx bench/self-discovery.ts
bench:surface-coveragetsx bench/surface-coverage.ts
boundary:checktsx scripts/boundary-guard.ts
buildnpm run clean && tsc && tsx scripts/build-manifest.js && tsx scripts/count-stats.ts && tsx scripts/build-readme.ts && tsx scripts/build-agents.ts && prettier --write AGENTS.md
build:agentstsx scripts/build-agents.ts
build:manifesttsx scripts/build-manifest.js
changesetchangeset
changeset:statuschangeset status --since=origin/main
changeset:versionchangeset version
check:exportstsx scripts/check-exports-count.ts
cleannode -e "require('node:fs').rmSync('dist',{recursive:true,force:true})"
compute:smoketsx scripts/compute-live-smoke.ts
conformancetsx scripts/conformance-report.ts
coverage:adapter-testtsx scripts/check-adapter-test-coverage.ts --threshold 50
coverage:compute-snapshotvitest run --project unit tests/unit/refs.test.ts tests/unit/snapshot-encoder.test.ts --coverage --coverage.enabled=true --coverage.provider=v8 --coverage.include=src/transport/refs.ts --coverage.include=src/transport/snapshot-encoder.ts --coverage.reporter=text --coverage.thresholds.lines=100 --coverage.thresholds.functions=100 --coverage.thresholds.branches=100 --coverage.thresholds.statements=100
devtsx src/main.ts
docs:buildnpm run docs:prepare && node -e "require('node:fs').rmSync('docs/.vitepress/dist',{recursive:true,force:true})" && vitepress build docs && npm run docs:check-public
docs:check-publictsx scripts/check-public-docs.ts
docs:devnpm run docs:prepare && vitepress dev docs
docs:preparetsx scripts/generate-catalog.ts && tsx scripts/generate-docs-agent-assets.ts
docs:previewvitepress preview docs
doctortsx src/doctor.ts
e2e:realnpm run build && tsx scripts/e2e-real-matrix.ts
formatprettier --write .
…and 29 more.

Dependencies12

ajv^8.20.0
ajv-formats^3.0.1
chalk^5.6.2
cli-table3^0.6.5
commander^14.0.3
fast-xml-parser^5.8.0
js-yaml^4.1.1
jsonpath-plus^10.4.0
turndown^7.2.4
undici^8.3.0
ws^8.21.0
zod^4.4.3