Package evidence

[email protected]

Js Hidden Powershell: Hidden / non-interactive PowerShell invocation in package code — `-WindowStyle Hidden`, `irm | iex`, `windowsHide: true`, or equivalent — used to download-and-run payloads on Windows installers.

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads: 602
Versions published: 146Established · −30% score
First published: Aug 2025
Publisher: sid.mathur

Effective trust discount applied: −30% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"high"}'

Publishersid.mathur

Artifact bytes405,107

Previous version2.0.165

Published2026-06-12T03:10:34.648Z

SHA-256fbea29a073a1ea731feb6eb9ab913a30287735b153dcd58a388c8caab1892d96

Why flagged

What the scanner saw

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

high

5d agoLast checked

highRisk

35Score

2.0.166Version

Status history (1 event)

new → available5d ago · risk high · score 35 · status changed

Evidence

Static findings

2 static · 0 from release diff · showing high-signal first.

Severity	Kind	Path	Detail	Points
high	Js Hidden Powershell	package/dist/src/cli/commands/add-provider.js	Hidden / non-interactive PowerShell invocation in package code — `-WindowStyle Hidden`, `irm \| iex`, `windowsHide: true`, or equivalent — used to download-and-run payloads on Windows installers.	45

Show all 2 findings (low-signal and informational)

Severity	Kind	Path	Detail	Points
high	Js Hidden Powershell	package/dist/src/cli/commands/add-provider.js	Hidden / non-interactive PowerShell invocation in package code — `-WindowStyle Hidden`, `irm \| iex`, `windowsHide: true`, or equivalent — used to download-and-run payloads on Windows installers.	45
low	Install-time lifecycle script	package.json	postinstall="node ./bin/fraim.js sync --skip-updates \|\| echo 'FRAIM setup skipped.'"	5

Manifest

Package metadata

Scripts56

backfill:persona-entitlementstsx scripts/backfill-persona-entitlements.ts
buildtsx scripts/build-fraim-config-schema-template.ts && npm run typecheck:scripts && tsc && npm run build:stubs && npm run build:fraim-brain && node scripts/copy-registry.js && npm run validate:registry && npm run validate:fraim-pro-assets && npm run validate:employee-catalog && npm run validate:learning-format-contract && tsx scripts/validate-purity.ts
build:fraim-brainnode scripts/generate-fraim-brain.js
build:stubstsx scripts/build-stub-registry.ts
devtsx --watch src/fraim-mcp-server.ts > server.log 2>&1
dev:fraimtsx --watch src/fraim-mcp-server.ts
dev:prodnpm run build && node dist/src/fraim-mcp-server.js > server.log 2>&1
firstrun:devtsx scripts/start-firstrun-dev.ts
fix-keytsx scripts/fraim/fix-expired-key.ts
fraim:initnpm run build && node index.js init
fraim:syncnode index.js sync --local
hub:desktopnpm run build && electron dist/src/ai-hub/desktop-main.js
hub:devtsx scripts/start-hub-dev.ts
manage-keystsx scripts/fraim/manage-keys.ts
manage-teamstsx scripts/fraim/manage-teams.ts
partner-discountstsx scripts/fraim/manage-partner-discounts.ts
postinstallnode ./bin/fraim.js sync --skip-updates || echo 'FRAIM setup skipped.'
prepublishOnlynpm run build
publish-bothnode scripts/publish-both.js
publish-both-manualnode scripts/publish-both.js
publish-fraim-onlynode scripts/publish-fraim.js
releasenpm version patch && npm run publish-both
serve:websitenode fraim-pro/serve.js
setup-stripe-webhooktsx scripts/fraim/setup-stripe-webhook.ts
start:fraimtsx src/fraim-mcp-server.ts
testnode scripts/test-with-server.js
test-allnpm run test && npm run test:isolated tests/isolated/test-*.ts && npm run test:ui
test:coveragenode scripts/test-with-server.js --tags=smoke --coverage
test:isolatednode scripts/test-isolated.js
test:perfnode scripts/test-with-server.js tests/performance/analytics-perf.ts
…and 26 more.

Dependencies20

@octokit/rest^22.0.1
adm-zip^0.5.16
axios^1.7.0
chalk4.1.2
commander^14.0.2
cors^2.8.5
dotenv^16.4.7
electron^41.2.2
express^5.2.1
mongodb^7.0.0
node-edge-tts^1.2.10
nodemailer^8.0.3
prompts^2.4.2
resend^6.9.3
selfsigned^5.5.0
semver^7.7.4
stripe^20.3.1
toml^3.0.0
tree-kill^1.2.2
xml2js^0.6.2