Package evidence

[email protected]

Remote Payload: matched "raw.githubusercontent.com"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published: 3
First published: Jun 2026
Publisher: monarchjuno

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"review"}'

Publishermonarchjuno

Artifact bytes3,415,871

Previous version0.3.1

Published2026-06-02T09:00:40.905Z

SHA-256239cf1f8d88f67c2383a19cf915d7b0fd7d4df6eb17ffc9af26459cf2bcb19e1

Why flagged

What the scanner saw

Remote Payload: matched "raw.githubusercontent.com"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review

15d agoLast checked

reviewRisk

29Score

0.3.2Version

Status history (1 event)

new → available15d ago · risk review · score 29 · status changed

Evidence

Static findings

3 static · 0 from release diff · showing high-signal first.

Severity	Kind	Path	Detail	Points
medium	Remote Payload	package/dist/server/services/apm-package/github-source.js	matched "raw.githubusercontent.com"	12
medium	Remote Payload	package/client/install.sh	matched "curl "	12

Show all 3 findings (low-signal and informational)

Severity	Kind	Path	Detail	Points
medium	Remote Payload	package/dist/server/services/apm-package/github-source.js	matched "raw.githubusercontent.com"	12
medium	Remote Payload	package/client/install.sh	matched "curl "	12
low	Credential file access	package/client/assets/index.es-Btlrnc3g.js	matched ".npmrc"	5

Manifest

Package metadata

Scripts19

buildnpm run build:all
build:allnpm run clean && npm run build:client && npm run build:server
build:clientvite build --outDir client
build:servertsc -p tsconfig.server.json && node scripts/copy-runtime-assets.mjs
cleannode -e "require('fs').rmSync('dist', { recursive: true, force: true }); require('fs').rmSync('client', { recursive: true, force: true })"
devnpm run dev:all
dev:allnpm run kill-ports && tsx server/start.ts
dev:clientvite
kill-portsnode scripts/kill-ports.mjs 43200 43201 43202
linteslint .
opencodeopencode serve --port 43202
pack:checknpm run build:all && npm pack --dry-run
prepublishOnlynpm run build:all
previewvite preview
servernode ./node_modules/tsx/dist/cli.mjs server/index.ts
server:devnode ./node_modules/tsx/dist/cli.mjs --watch server/index.ts
startnode dist/cli.js
testvitest run
type-checktsc -b --noEmit && tsc -p tsconfig.server.json --noEmit

Dependencies33

@dnd-kit/core^6.3.1
@dnd-kit/sortable^10.0.0
@dnd-kit/utilities^3.2.2
@hono/node-server^2.0.1
@lobehub/icons-static-svg^1.91.0
@lydell/node-pty^1.2.0-beta.12
@opencode-ai/sdk^1.15.6
@tanstack/react-query^5.90.21
@xterm/addon-fit^0.11.0
@xterm/addon-webgl^0.19.0
@xterm/xterm^6.0.0
@xyflow/react^12.10.1
diff^9.0.0
discord.js^14.26.4
elkjs^0.11.1
highlight.js^11.11.1
hono^4.12.18
lucide-react^0.577.0
material-file-icons^2.4.0
nanoid^5.1.7
open^10.0.0
opencode-ai^1.15.6
react^19.2.0
react-dom^19.2.0
react-markdown^10.1.0
rehype-highlight^7.0.2
remark-gfm^4.0.1
strip-json-comments^3.1.1
tsx^4.21.0
ws^8.19.0
…and 3 more.