Package evidence

[email protected]

Remote Payload: matched "cURL "

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Publisher: GitHub ActionsTrusted automation · −70% score

Effective trust discount applied: −70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"high"}'

PublisherGitHub Actions

Artifact bytes730,241

Previous version4.0.2-beta.19

Published2026-05-24T20:09:22.230Z

SHA-256e1a55b38f5c374bbe5943603faa808e944502a6e302895ecfb12b050c8c8dea0

Why flagged

What the scanner saw

Remote Payload: matched "cURL "

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

high

23d agoLast checked

highRisk

49Score

4.0.2Version

Status history (1 event)

new → available23d ago · risk high · score 49 · status changed

Evidence

Static findings

13 static · 0 from release diff · showing high-signal first.

Severity	Kind	Path	Detail	Points
medium	Remote Payload	package/lib/helper/REST.js	matched "cURL "	12

Show all 13 findings (low-signal and informational)

Severity	Kind	Path	Detail	Points
medium	Remote Payload	package/lib/helper/REST.js	matched "cURL "	12
low	Install-time lifecycle script	package.json	prepare="husky install"	4
low	Obfuscation	package/lib/helper/Appium.js	matched "Buffer.from(res, 'base64"	3
low	Obfuscation	package/lib/helper/scripts/dropFile.js	matched "atob("	3
low	Obfuscation	package/lib/heal.js	matched "eval("	3
low	Obfuscation	package/lib/plugin/junitReporter.js	matched "\\u0000"	3
low	Obfuscation	package/lib/pause.js	matched "eval("	3
low	Obfuscation	package/lib/helper/Playwright.js	matched "eval("	3
low	Obfuscation	package/lib/helper/Puppeteer.js	matched "eval("	3
low	Obfuscation	package/lib/helper/network/utils.js	matched "Buffer.from(queryParameter.value, 'base64"	3
low	Obfuscation	package/lib/utils.js	matched "\\u001B"	3
low	Obfuscation	package/lib/helper/WebDriver.js	matched "\\uE000"	3
low	Obfuscation	package/lib/element/WebElement.js	matched "\\uE007"	3

Manifest

Package metadata

Scripts35

def./runok.cjs def
dev:graphqlnode test/data/graphql/index.js
docs./runok.cjs docs
dtslintnpm run types-fix && tsd
json-server:graphqlnode test/data/graphql/index.js
linteslint bin/ examples/ lib/ test/ translations/ runok.cjs
lint-fixeslint bin/ examples/ lib/ test/ translations/ runok.cjs --fix
mock-server:startnode test/mock-server/start-mock-server.js
mock-server:stopkill -9 $(lsof -t -i:3001)
preparehusky install
prepare-release./runok.cjs versioning && ./runok.cjs get:commit-log
prettierprettier --config prettier.config.js --write bin/**/*.js lib/**/*.js test/**/*.js translations/**/*.js runok.cjs
publish-beta./runok.cjs publish:next-beta-version
publish:site./runok.cjs publish:site
testnpm run test:unit && npm run test:rest && npm run test:runner
test-app:startphp -S 127.0.0.1:8000 -t test/data/app
test-app:stopkill -9 $(lsof -t -i:8000)
test-servernode bin/test-server.js test/data/rest/db.json --host 0.0.0.0 -p 8010 --read-only
test-server:writablenode bin/test-server.js test/data/rest/db.json --host 0.0.0.0 -p 8010
test:appium-othermocha test/helper/Appium_test.js --grep 'second' --reporter @testomatio/reporter/mocha
test:appium-quickmocha test/helper/Appium_test.js --grep 'quick' --reporter @testomatio/reporter/mocha
test:ios:appium-othermocha test/helper/Appium_ios_test.js --grep 'second' --reporter @testomatio/reporter/mocha
test:ios:appium-quickmocha test/helper/Appium_ios_test.js --grep 'quick' --reporter @testomatio/reporter/mocha
test:pluginmocha test/plugin/plugin_test.js --reporter @testomatio/reporter/mocha
test:restmocha test/rest --recursive --timeout 20000 --reporter @testomatio/reporter/mocha
test:runnermocha test/runner --recursive --timeout 10000 --reporter @testomatio/reporter/mocha
test:unitmocha test/unit --recursive --timeout 10000 --reporter @testomatio/reporter/mocha
test:unit:expectmocha test/helper/Expect_test.js --reporter @testomatio/reporter/mocha
test:unit:webbapi:playwrightmocha test/helper/Playwright_test.js --reporter @testomatio/reporter/mocha
test:unit:webbapi:puppeteermocha test/helper/Puppeteer_test.js --reporter @testomatio/reporter/mocha
…and 5 more.

Dependencies45

@codeceptjs/configure^4.0.0-beta.4
@codeceptjs/helper2.0.4
@cucumber/cucumber-expressions18
@cucumber/gherkin38.0.0
@cucumber/messages32.0.1
@modelcontextprotocol/sdk^1.26.0
@xmldom/xmldom0.9.8
acorn8.15.0
ai^6.0.43
arrify3.0.0
axios1.13.2
chalk4.1.2
cheerio^1.0.0
chokidar^5.0.0
commander14.0.3
cross-spawn7.0.6
css-to-xpath0.1.0
csstoxpath1.6.0
envinfo7.21.0
escape-string-regexp4.0.0
figures3.2.0
fn-args4.0.0
fs-extra11.3.3
fuse.js^7.0.0
glob>=9.0.0 <14
html-minifier-terser7.2.0
inquirer^8.2.7
invisi-data^1.0.0
js-beautify1.15.4
lodash.clonedeep4.5.0
…and 15 more.

Optional dependencies1

@codeceptjs/detox-helper1.1.13