PkgRadar

Package evidence

[email protected]

Remote Payload: matched "cUrl "

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
996,985Ubiquitous · −70% score
Versions published
286Mature · −50% score
First published
Jul 2023
Publisher
GitHub ActionsTrusted automation · −70% score

Effective trust discount applied: 70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"high"}'
PublisherGitHub Actions
Artifact bytes3,202,004
Previous version3.16.0
Published2026-06-05T19:29:52.705Z
SHA-256d036825fadd210eff437398afd3bd3e5d52dec7cb0f625d25c70c08c1a0b3c61

Why flagged

What the scanner saw

New Lifecycle Script Vs Previous: postinstall added in 3.17.0 vs 3.16.0: "node ./scripts/install.js"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

high
Last checked
highRisk
81Score
3.17.0Version
Status history (1 event)
  1. newavailable · risk high · score 81 · status changed

Evidence

Static findings

4 static · 1 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
highNew Lifecycle Script Vs Previouspackage.jsonpostinstall added in 3.17.0 vs 3.16.0: "node ./scripts/install.js"40
mediumRemote Payloadpackage/dist/browser.jsmatched "cUrl "12
mediumRemote Payloadpackage/dist/edge-light.jsmatched "cUrl "12
mediumRemote Payloadpackage/dist/workerd.jsmatched "cUrl "12
Show all 5 findings (low-signal and informational)
SeverityKindPathDetailPoints
highNew Lifecycle Script Vs Previouspackage.jsonpostinstall added in 3.17.0 vs 3.16.0: "node ./scripts/install.js"40
mediumRemote Payloadpackage/dist/browser.jsmatched "cUrl "12
mediumRemote Payloadpackage/dist/edge-light.jsmatched "cUrl "12
mediumRemote Payloadpackage/dist/workerd.jsmatched "cUrl "12
lowInstall-time lifecycle scriptpackage.jsonpostinstall="node ./scripts/install.js"5

Manifest

Package metadata

Scripts29
  • benchtsx src/queue.bench.ts
  • buildcross-env NODE_OPTIONS="--max-old-space-size=8192" tsup
  • check:typingstsc --noEmit
  • cleanrm -r dist/* && rm -r dev/dist/* && rm -r util/dist/*
  • docstypedoc --options typedoc.json src/node/index.ts
  • fix:linteslint --fix .
  • linteslint .
  • playgroundtsx playground.ts
  • playground:automkdir -p .context && pnpm exec esbuild playground.ts --platform=node --format=esm --outfile=.context/playground.auto.mjs && node --import ./dist/auto-instrumentations/hook.mjs ./.context/playground.auto.mjs
  • playground:cli:evalnode dist/cli.js eval playground.ts
  • playground:cli:pushnode dist/cli.js push playground.ts
  • postinstallnode ./scripts/install.js
  • testvitest run --exclude "src/wrappers/**/*.test.ts" --exclude "src/otel/**/*.test.ts" --exclude "smoke/**/*.test.ts" --exclude "src/zod/**/*.test.ts" --exclude "tests/api-compatibility/**"
  • test:ai-sdk-v1vitest run src/wrappers/ai-sdk-v1.test.ts
  • test:ai-sdk-v2vitest run src/wrappers/ai-sdk-v2.test.ts src/wrappers/ai-sdk-v1.test.ts
  • test:ai-sdk-v3vitest run src/wrappers/ai-sdk-v3.test.ts
  • test:allpnpm run test:checks
  • test:api-compatvitest run tests/api-compatibility/api-compatibility.test.ts
  • test:checkspnpm run test:core && pnpm run test:vitest
  • test:corepnpm prune && pnpm test
  • test:mastravitest run src/wrappers/mastra.test.ts
  • test:otelvitest run --dir src/otel
  • test:otel-no-depsvitest run src/otel/otel-no-deps.test.ts --reporter=verbose
  • test:outputtsx scripts/test-output.ts --with-comparison --with-metrics --with-progress
  • test:vitestpnpm --filter @braintrust/vitest-wrapper-tests test
  • test:zod-v3vitest run src/zod/zod-v3-serialization.test.ts
  • test:zod-v4vitest run src/zod/zod-v4-serialization.test.ts
  • watchtsup --watch
  • yalc:publishyalc publish
Dependencies24
  • @apm-js-collab/code-transformer^0.12.0
  • @next/env^14.2.3
  • @vercel/functions^1.0.2
  • ajv^8.20.0
  • argparse^2.0.1
  • cli-progress^3.12.0
  • cli-table3^0.6.5
  • cors^2.8.5
  • dc-browser^1.0.4
  • dotenv^16.4.5
  • esbuild0.28.0
  • eventsource-parser^1.1.2
  • express^5.2.1
  • http-errors^2.0.0
  • minimatch^10.2.5
  • module-details-from-path^1.0.4
  • mustache^4.2.0
  • pluralize^8.0.0
  • simple-git^3.36.0
  • source-map^0.7.4
  • termi-link^1.0.1
  • unplugin^2.3.5
  • uuid^11.1.1
  • zod-to-json-schema^3.25.0
Optional dependencies7
  • @braintrust/bt-darwin-arm640.11.1
  • @braintrust/bt-darwin-x640.11.1
  • @braintrust/bt-linux-arm640.11.1
  • @braintrust/bt-linux-x640.11.1
  • @braintrust/bt-linux-x64-musl0.11.1
  • @braintrust/bt-win32-arm640.11.1
  • @braintrust/bt-win32-x640.11.1