PkgRadar

Package evidence

[email protected]

Remote Dependency Spec: dependencies.cross-spawn="https://github.com/dimaslanjaka/node-cross-spawn/raw/78b09a1f799430fb251c1b438ec56ce7957674f4/release/cross-spawn.tgz"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
196
Versions published
18Established · −30% score
First published
May 2023
Publisher
dimaslanjaka

Effective trust discount applied: 30% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"high"}'
Publisherdimaslanjaka
Artifact bytes242,399
Previous version2.0.12
Published2026-05-31T16:29:34.035Z
SHA-2569e658e17686e6a98b9dafd080e791549c70cf2bfe16f771a63b0b85604d0e6aa

Why flagged

What the scanner saw

Remote Dependency Spec: dependencies.cross-spawn="https://github.com/dimaslanjaka/node-cross-spawn/raw/78b09a1f799430fb251c1b438ec56ce7957674f4/release/cross-spawn.tgz"

1 candidate cluster(s) currently reference this release. 3 remote tarball(s) were followed statically.

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

high
Last checked
highRisk
72Score
2.0.13Version
Status history (2 events)
  1. availableavailable · risk high · score 72 · status available -> available, risk high -> high, score 136 -> 72
  2. newavailable · risk high · score 136 · status changed

Related candidates

Linked campaigns and clusters

Publisher / release actor burstactive

dimaslanjaka

3 members · evidence strength 65
Publisher / release actor burstcandidate

dimaslanjaka

3 members · max score 72

Evidence

Static findings

3 static · 3 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
highRemote Dependency Specpackage.jsondependencies.cross-spawn="https://github.com/dimaslanjaka/node-cross-spawn/raw/78b09a1f799430fb251c1b438ec56ce7957674f4/release/cross-spawn.tgz"12
highRemote Dependency Specpackage.jsondependencies.git-command-helper="https://github.com/dimaslanjaka/git-command-helper/raw/ed17f70eb7444d24bd8eb984a4afe9fd64652838/release/git-command-helper.tgz"12
highRemote Dependency Specpackage.jsondependencies.sbg-utility="https://github.com/dimaslanjaka/static-blog-generator/raw/44e5c7b79b4e60f8c2d34857c27b8ce677d7493e/packages/sbg-utility/release/sbg-utility.tgz"12
highNew Remote Dependency Vs Previouspackage.jsondependencies.cross-spawn added in 2.0.13 vs 2.0.12: "https://github.com/dimaslanjaka/node-cross-spawn/raw/78b09a1f799430fb251c1b438ec56ce7957674f4/release/cross-spawn.tgz"12
highNew Remote Dependency Vs Previouspackage.jsondependencies.git-command-helper added in 2.0.13 vs 2.0.12: "https://github.com/dimaslanjaka/git-command-helper/raw/ed17f70eb7444d24bd8eb984a4afe9fd64652838/release/git-command-helper.tgz"12
highNew Remote Dependency Vs Previouspackage.jsondependencies.sbg-utility added in 2.0.13 vs 2.0.12: "https://github.com/dimaslanjaka/static-blog-generator/raw/44e5c7b79b4e60f8c2d34857c27b8ce677d7493e/packages/sbg-utility/release/sbg-utility.tgz"12

Remote payloads

Followed remote artifacts

SourceURLRiskScoreSummary
dependencies.cross-spawnhttps://github.com/dimaslanjaka/node-cross-spawn/raw/78b09a1f799430fb251c1b438ec56ce7957674f4/release/cross-spawn.tgzerror0unexpected end of file
dependencies.git-command-helperhttps://github.com/dimaslanjaka/git-command-helper/raw/ed17f70eb7444d24bd8eb984a4afe9fd64652838/release/git-command-helper.tgzerror0unexpected end of file
dependencies.sbg-utilityhttps://github.com/dimaslanjaka/static-blog-generator/raw/44e5c7b79b4e60f8c2d34857c27b8ce677d7493e/packages/sbg-utility/release/sbg-utility.tgzerror0unexpected end of file

Manifest

Package metadata

Scripts16
  • buildtsc -b tsconfig.build.json && npm run build-tsup && npm run build-exports
  • build-exportsnode -r ts-node/register -r dotenv/config build.mjs
  • build-packagesyarn workspaces foreach --worktree --exclude=binary-collections --no-private run build
  • build-rolluprollup -c rollup.config.js
  • build-tsupnode build.tsup.js
  • cleanrimraf lib tmp/dist binaries
  • packnode package.cjs --yarn --filename=bin
  • preparehusky
  • puppeteer:browsernpx -y puppeteer browsers install chrome
  • testtest-cjs
  • test-coveragenpm test --coverage --detectOpenHandles
  • test-esmtest-esm
  • test-nrsnpm test -- nrs build-**
  • test-watchnpm test --watch
  • update:ncunpx npm-check-updates -u --enginesNode --root -x jest -x @types/jest -x babel-jest -x @babel/core -x @babel/preset-env -x @babel/preset-typescript -x ts-jest -x eslint -x @eslint/eslintrc -x @eslint/js -x @typescript-eslint/eslint-plugin -x @typescript-eslint/parser -x eslint-config-prettier -x eslint-plugin-prettier -x typescript-eslint -x prettier -x typescript -x ts-node -x @yarnpkg/core
  • update:packercurl -L https://github.com/dimaslanjaka/nodejs-package-types/raw/main/packer.js > packer.cjs
Dependencies22
  • @yarnpkg/core^4.7.0
  • ansi-colors^4.1.3
  • axios^1.16.1
  • cross-spawnhttps://github.com/dimaslanjaka/node-cross-spawn/raw/78b09a1f799430fb251c1b438ec56ce7957674f4/release/cross-spawn.tgz
  • crypto-js^4.2.0
  • dotenv^17.4.2
  • fs-extra^11.3.5
  • git-command-helperhttps://github.com/dimaslanjaka/git-command-helper/raw/ed17f70eb7444d24bd8eb984a4afe9fd64652838/release/git-command-helper.tgz
  • glob^13.0.6
  • minimatch^10.2.5
  • minimist^1.2.8
  • ps-node^0.1.6
  • puppeteer^25.0.4
  • puppeteer-extra^3.3.6
  • puppeteer-extra-plugin-stealth^2.11.2
  • sbg-utilityhttps://github.com/dimaslanjaka/static-blog-generator/raw/44e5c7b79b4e60f8c2d34857c27b8ce677d7493e/packages/sbg-utility/release/sbg-utility.tgz
  • tar-stream^3.2.0
  • upath^3.0.7
  • which^7.0.0
  • yaml^2.9.0
  • yarn^1.22.22
  • zlib^1.0.5