Package evidence

[email protected]

Remote Payload: matched "cUrl "

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"high"}'

Publishercamcima

Artifact bytes252,421

Previous version0.3.1

Published2026-05-24T18:02:26.203Z

SHA-2566b42bca754d1233acc42f9a3bb1b62771009d7ec1ddec75c61ec5c990e7e0d63

Why flagged

What the scanner saw

Remote Payload: matched "cUrl "

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

high

10d agoLast checked

highRisk

58Score

0.4.0Version

Status history (1 event)

new → available10d ago · risk high · score 58 · status changed

Related candidates

Linked campaigns and clusters

Publisher / release actor burststale

camcima

2 members · evidence strength 55

Evidence

Static findings

7 static · 0 from release diff · showing high-signal first.

Severity	Kind	Path	Detail	Points
medium	Remote Payload	package/dist/cli.cjs	matched "cUrl "	12
medium	Remote Payload	package/dist/index.cjs	matched "cUrl "	12
medium	Remote Payload	package/dist/cli.js	matched "cUrl "	12
medium	Remote Payload	package/dist/index.js	matched "cUrl "	12

Show all 7 findings (low-signal and informational)

Severity	Kind	Path	Detail	Points
medium	Remote Payload	package/dist/cli.cjs	matched "cUrl "	12
medium	Remote Payload	package/dist/index.cjs	matched "cUrl "	12
medium	Remote Payload	package/dist/cli.js	matched "cUrl "	12
medium	Remote Payload	package/dist/index.js	matched "cUrl "	12
low	Install-time lifecycle script	package.json	prepare="lefthook install"	4
low	Obfuscation	package/dist/cli.cjs	matched "\\u2014"	3
low	Obfuscation	package/dist/cli.js	matched "\\u2014"	3

Manifest

Package metadata

Scripts17

buildtsup
devtsx src/cli.ts start --config ./examples/config.json
formatprettier --write '**/*.{ts,js,json,md,yml,yaml}' '!**/dist/**' '!**/node_modules/**' '!**/coverage/**' '!**/package-lock.json'
format:checkprettier --check '**/*.{ts,js,json,md,yml,yaml}' '!**/dist/**' '!**/node_modules/**' '!**/coverage/**' '!**/package-lock.json'
linteslint 'src/**/*.ts' 'tests/**/*.ts'
lint:fixeslint 'src/**/*.ts' 'tests/**/*.ts' --fix
preparelefthook install
releaserelease-it
release:allnpm run release && npm run release:docker
release:alpharelease-it prerelease --preRelease=alpha
release:dockergh workflow run release-docker.yml -f tag=v$(node -p "require('./package.json').version")
release:dryrelease-it --dry-run
testvitest run
test:civitest run --coverage --reporter=default --reporter=junit --outputFile.junit=test-report.junit.xml
test:coveragevitest run --coverage
test:watchvitest
typechecktsc --noEmit

Dependencies8

@fastify/cors^11.2.0
@fastify/formbody^8.0.1
@httptoolkit/httpolyglot^3.0.1
chokidar^4.0.3
fastify^5.2.0
jose^5.9.6
pino^9.5.0
zod^4.0.0