PkgRadar

Package evidence

[email protected]

Install Lifecycle Remote Or Exec: preinstall="node -e \"if(+process.versions.node.split('.')[0]<20){console.error('\\nhelmrig requires Node.js >= 20 (you have '+process.version+').\\nUpgrade Node: https://nodejs.org/\\n');process.exit(1)}\""

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
63
Versions published
37
First published
Apr 2026
Publisher
joarhal

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"high"}'
Publisherjoarhal
Artifact bytes185,503
Previous version0.8.1
Published2026-05-15T17:41:37.600Z
SHA-256cc65b2b422b0fe8fd0c27ef18dd665abc92fadc4ad76a4b15b93061634ea11b1

Why flagged

What the scanner saw

Install Lifecycle Remote Or Exec: preinstall="node -e \"if(+process.versions.node.split('.')[0]<20){console.error('\\nhelmrig requires Node.js >= 20 (you have '+process.version+').\\nUpgrade Node: https://nodejs.org/\\n');process.exit(1)}\""

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

high
Last checked
highRisk
40Score
0.8.2Version
Status history (1 event)
  1. newavailable · risk high · score 40 · status changed

Evidence

Static findings

3 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
highInstall Lifecycle Remote Or Execpackage.jsonpreinstall="node -e \"if(+process.versions.node.split('.')[0]<20){console.error('\\nhelmrig requires Node.js >= 20 (you have '+process.version+').\\nUpgrade Node: https://nodejs.org/\\n');process.exit(1)}\""30
Show all 3 findings (low-signal and informational)
SeverityKindPathDetailPoints
highInstall Lifecycle Remote Or Execpackage.jsonpreinstall="node -e \"if(+process.versions.node.split('.')[0]<20){console.error('\\nhelmrig requires Node.js >= 20 (you have '+process.version+').\\nUpgrade Node: https://nodejs.org/\\n');process.exit(1)}\""30
lowCredential file accesspackage/dist/server.jsmatched "GOOGLE_APPLICATION_CREDENTIALS"5
lowInstall-time lifecycle scriptpackage.jsonpreinstall="node -e \"if(+process.versions.node.split('.')[0]<20){console.error('\\nhelmrig requires Node.js >= 20 (you have '+process.version+').\\nUpgrade Node: https://nodejs.org/\\n');process.exit(1)}\""5

Manifest

Package metadata

Scripts33
  • buildrm -rf bin dist && bun run build:supervisor && bun run build:server && bun run build:strip
  • build:serverbun build src/server/index.ts --target=node --format=esm --minify --external better-sqlite3 --external node-pty --external chokidar --external fastify --external @fastify/websocket --outfile=dist/server.js
  • build:stripnode scripts/strip-bundle-paths.mjs dist/server.js bin/supervisor.js
  • build:supervisorbun build src/index.ts --target=node --format=esm --minify --external ink --external react --external react-devtools-core --external better-sqlite3 --external bindings --external node-pty --external chokidar --external fastify --external @fastify/websocket --outfile=bin/supervisor.js --banner='#!/usr/bin/env node' && chmod +x bin/supervisor.js
  • claude:capturetsx scripts/claude-capture.ts
  • claude:checktsx scripts/claude-check.ts
  • claude:check-efforttsx scripts/claude-check-effort.ts
  • clitsx scripts/helmrig-cli.ts
  • codex-app-server:capturetsx scripts/codex-app-server-capture.ts
  • codex-app-server:checktsx scripts/codex-app-server-check.ts
  • codex:capturetsx scripts/codex-capture.ts
  • codex:checktsx scripts/codex-check.ts
  • codex:check-efforttsx scripts/codex-check-effort.ts
  • devtsx src/index.ts
  • dev:logsscripts/dev-server.sh logs
  • dev:restartscripts/dev-server.sh restart
  • dev:startscripts/dev-server.sh start
  • dev:statusscripts/dev-server.sh status
  • dev:stopscripts/dev-server.sh stop
  • gemini:capturetsx scripts/gemini-capture.ts
  • gemini:checktsx scripts/gemini-check.ts
  • gemini:check-efforttsx scripts/gemini-check-effort.ts
  • preinstallnode -e "if(+process.versions.node.split('.')[0]<20){console.error('\nhelmrig requires Node.js >= 20 (you have '+process.version+').\nUpgrade Node: https://nodejs.org/\n');process.exit(1)}"
  • prepublishOnlybun run build && bun run tsc --noEmit && bun run test
  • release:cleanscripts/release-server.sh clean
  • release:logsscripts/release-server.sh logs
  • release:restartscripts/release-server.sh restart
  • release:startscripts/release-server.sh start
  • release:statusscripts/release-server.sh status
  • release:stopscripts/release-server.sh stop
  • …and 3 more.
Dependencies9
  • @agentclientprotocol/sdk^0.20.0
  • @fastify/websocket^11.2.0
  • better-sqlite3^12.8.0
  • chokidar^5.0.0
  • fastify^5.8.4
  • ink^7.0.1
  • node-pty1.2.0-beta.12
  • react^19.2.5
  • ws^8.20.0