Recommended action
Block this updateStatic evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"high"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"high"}'Why flagged
What the scanner saw
Obfuscation Density: high encoded/escaped-token density
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk high · score 81 · status changed
Related candidates
Linked campaigns and clusters
qinguofeng
3 members · evidence strength 73Evidence
Static findings
17 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Obfuscation Density | package/dist/website/main/assets/useCompEditStore-BaMFNGpl.js | high encoded/escaped-token density | 12 |
| medium | Large Javascript Payload | package/dist/index.js | 15164897 bytes | 10 |
| medium | Large Javascript Payload | package/dist/website/container/js/vue2-sfc-loader.js | 2209409 bytes | 10 |
| medium | Large Javascript Payload | package/dist/website/container/js/vue3-sfc-loader.js | 2412428 bytes | 10 |
Show all 17 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Obfuscation Density | package/dist/website/main/assets/useCompEditStore-BaMFNGpl.js | high encoded/escaped-token density | 12 |
| medium | Large Javascript Payload | package/dist/index.js | 15164897 bytes | 10 |
| medium | Large Javascript Payload | package/dist/website/container/js/vue2-sfc-loader.js | 2209409 bytes | 10 |
| medium | Large Javascript Payload | package/dist/website/container/js/vue3-sfc-loader.js | 2412428 bytes | 10 |
| low | Obfuscation | package/dist/website/main/assets/index-BnpZ3Duk.js | matched "\\uFEFF" | 3 |
| low | Obfuscation | package/dist/website/main/assets/index-Bw7t67yK.js | matched "\\uFEFF" | 3 |
| low | Obfuscation | package/dist/website/container/assets/index-Cmi2NYAU.js | matched "\\x2d" | 3 |
| low | Obfuscation | package/dist/website/item/assets/index-D1z-Gulp.js | matched "fromCharCode" | 3 |
| low | Obfuscation | package/dist/website/main/assets/index.vue_vue_type_style_index_0_lang-TY8hdvSG.js | matched "\\uD800" | 3 |
| low | Obfuscation | package/dist/website/main/assets/index.vue_vue_type_style_index_0_lang-vmUTBf-P.js | matched "\\x00" | 3 |
| low | Obfuscation | package/dist/website/main/assets/md5-CDR0X4F9.js | matched "fromCharCode" | 3 |
| low | Obfuscation | package/dist/website/main/assets/moment-B-YVwB4U.js | matched "\\u00A0" | 3 |
| low | Obfuscation | package/dist/website/main/assets/useCompEditStore-BaMFNGpl.js | matched "\\u2028" | 3 |
| low | Obfuscation | package/dist/website/main/assets/useMessage-CNq7TVBk.js | matched "fromCharCode" | 3 |
| low | Obfuscation | package/dist/website/main/assets/vendor-core-B-Si3WEf.js | matched "\\u2028" | 3 |
| low | Obfuscation | package/dist/website/main/assets/vendor-ui-CmoKJ_4A.js | matched "\\x2d" | 3 |
| low | Obfuscation | package/dist/website/main/assets/vendor-xterm-DbWxaMay.js | matched "\\x1B" | 3 |
Manifest
Package metadata
Scripts6
buildnode scripts/build.jsbuild-iframesnode scripts/build-iframes.jsbuild-servernode scripts/build-server.jsbuild-uinode scripts/build-ui.jspublish:upgradenode scripts/publishUpgrade.jsreleasenode scripts/publish.js
Dependencies2
commander^14.0.2esbuild^0.28.0