PkgRadar

Package evidence

[email protected]

Remote Payload: matched "raw.githubusercontent.com"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
2,383Niche · −30% score
Versions published
215Mature · −50% score
First published
Sep 2022
Publisher
hawkeyexl

Effective trust discount applied: 50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"high"}'
Publisherhawkeyexl
Artifact bytes1,694,406
Previous version4.12.1
Published2026-06-17T18:40:09.492Z
SHA-25651f0333c15ae727a74a75f631571f51ab6a548488dfef375db925456d5d5f6b4

Why flagged

What the scanner saw

Remote Payload: matched "raw.githubusercontent.com"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

high
Last checked
highRisk
27Score
4.13.0Version
Status history (1 event)
  1. newavailable · risk high · score 27 · status changed

Evidence

Static findings

8 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
mediumRemote Payloadpackage/dist/agents/adapters/claude-code.jsmatched "raw.githubusercontent.com"12
mediumRemote Payloadpackage/dist/agents/adapters/codex.jsmatched "raw.githubusercontent.com"12
mediumRemote Payloadpackage/dist/agents/adapters/copilot-cli.jsmatched "raw.githubusercontent.com"12
mediumRemote Payloadpackage/dist/agents/adapters/gemini-cli.jsmatched "raw.githubusercontent.com"12
mediumRemote Payloadpackage/dist/agents/adapters/opencode.jsmatched "raw.githubusercontent.com"12
mediumRemote Payloadpackage/dist/agents/adapters/qwen-code.jsmatched "raw.githubusercontent.com"12
Show all 8 findings (low-signal and informational)
SeverityKindPathDetailPoints
mediumRemote Payloadpackage/dist/agents/adapters/claude-code.jsmatched "raw.githubusercontent.com"12
mediumRemote Payloadpackage/dist/agents/adapters/codex.jsmatched "raw.githubusercontent.com"12
mediumRemote Payloadpackage/dist/agents/adapters/copilot-cli.jsmatched "raw.githubusercontent.com"12
mediumRemote Payloadpackage/dist/agents/adapters/gemini-cli.jsmatched "raw.githubusercontent.com"12
mediumRemote Payloadpackage/dist/agents/adapters/opencode.jsmatched "raw.githubusercontent.com"12
mediumRemote Payloadpackage/dist/agents/adapters/qwen-code.jsmatched "raw.githubusercontent.com"12
lowInstall-time lifecycle scriptpackage.jsonpostinstall="node --disable-warning=DEP0190 scripts/postinstall.js"5
lowLarge Javascript Payloadpackage/dist/index.cjs9405444 bytes0

Manifest

Package metadata

Scripts21
  • buildnpm run build:common && npm run compile && npm run copy:schemas
  • build:commoncd src/common && npm run build
  • commitlintcommitlint --edit
  • compiletsc && node scripts/createCjsWrapper.js
  • container:buildnode src/container/scripts/build.cjs
  • container:build:basenode src/container/scripts/build.cjs --target=base
  • container:build:base:pushnode src/container/scripts/build.cjs --target=base --push
  • container:rebuildnode src/container/scripts/build.cjs --no-cache
  • container:testmocha src/container/test/*.test.cjs --timeout 0
  • copy:schemasnode -e "const fs=require('fs');const p=require('path');const s=p.join('src','common','src','schemas','schemas.json');const d=p.join('dist','common','src','schemas','schemas.json');fs.mkdirSync(p.dirname(d),{recursive:true});fs.copyFileSync(s,d);"
  • devnode ./dev
  • installAgentsnode ./bin/doc-detective.js install-agents
  • mochamocha
  • postinstallnode --disable-warning=DEP0190 scripts/postinstall.js
  • preparehusky
  • runTestsnode ./bin/doc-detective.js runTests
  • semantic-releasesemantic-release
  • startnode ./bin/doc-detective.js
  • testmocha --exit test/*.test.js && npm run test:common
  • test:commoncd src/common && npm test
  • watchnodemon --watch src --ext ts --exec "npm run compile"
Dependencies16
  • @apidevtools/json-schema-ref-parser^15.3.5
  • @inquirer/prompts^8.5.2
  • adm-zip^0.5.17
  • ajv^8.20.0
  • ajv-errors^3.0.0
  • ajv-formats^3.0.1
  • ajv-keywords^5.1.0
  • axios^1.17.0
  • dotenv^17.4.2
  • fast-xml-parser^5.8.0
  • jq-web^0.6.2
  • json-schema-faker^0.6.2
  • posthog-node^5.36.3
  • tree-kill^1.2.2
  • yaml^2.9.0
  • yargs^18.0.0