Package evidence
[email protected]
Remote Dependency Spec: dependencies.xlsx="https://cdn.sheetjs.com/xlsx-0.20.3/xlsx-0.20.3.tgz"
Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Weekly downloads
- 89
- Versions published
- 39
- First published
- Jan 2026
- Publisher
- varun1213213123132
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Remote Dependency Spec: dependencies.xlsx="https://cdn.sheetjs.com/xlsx-0.20.3/xlsx-0.20.3.tgz"
1 remote tarball(s) were followed statically.
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 122 · status changed
Evidence
Static findings
21 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | Remote Dependency Spec | package.json | dependencies.xlsx="https://cdn.sheetjs.com/xlsx-0.20.3/xlsx-0.20.3.tgz" | 12 |
| medium | Credential file access | package/local-dist-new/ml/adapters/amazon-bedrock.js | matched ".AWS" | 10 |
| medium | Credential file access | package/local-dist-new/ml/adapters/azure-openai-responses.js | matched ".azure" | 10 |
| medium | Credential file access | package/local-dist-new/ml/env-api-keys.js | matched "GOOGLE_APPLICATION_CREDENTIALS" | 10 |
Show all 21 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | Remote Dependency Spec | package.json | dependencies.xlsx="https://cdn.sheetjs.com/xlsx-0.20.3/xlsx-0.20.3.tgz" | 12 |
| medium | Credential file access | package/local-dist-new/ml/adapters/amazon-bedrock.js | matched ".AWS" | 10 |
| medium | Credential file access | package/local-dist-new/ml/adapters/azure-openai-responses.js | matched ".azure" | 10 |
| medium | Credential file access | package/local-dist-new/ml/env-api-keys.js | matched "GOOGLE_APPLICATION_CREDENTIALS" | 10 |
| low | Credential file access | package/local-dist-new/mcp/config.js | matched "GITHUB_TOKEN" | 5 |
| low | Obfuscation | package/local-dist-new/bot/actions/crew/activity-tracker.js | matched "\\u2026" | 3 |
| low | Obfuscation | package/local-dist-new/ml/adapters/amazon-bedrock.js | matched "atob(" | 3 |
| low | Obfuscation | package/local-dist-new/ml/kit/auth/anthropic.js | matched "atob(" | 3 |
| low | Obfuscation | package/local-dist-new/bot/actions/edit-diff.js | matched "\\u2018" | 3 |
| low | Obfuscation | package/local-dist-new/ui/fuzzy.js | matched "\\u0000" | 3 |
| low | Obfuscation | package/local-dist-new/ml/kit/auth/github-copilot.js | matched "atob(" | 3 |
| low | Obfuscation | package/local-dist-new/ui/keys.js | matched "\\x1b" | 3 |
| low | Obfuscation | package/local-dist-new/ml/kit/message-transform.js | matched "\\x00" | 3 |
| low | Obfuscation | package/local-dist-new/ml/adapters/openai-codex-responses.js | matched "atob(" | 3 |
| low | Obfuscation | package/local-dist-new/ml/kit/auth/openai-codex.js | matched "atob(" | 3 |
| low | Obfuscation | package/local-dist-new/bot/actions/path-utils.js | matched "\\u00A0" | 3 |
| low | Obfuscation | package/local-dist-new/ml/kit/auth/pkce.js | matched "fromCharCode" | 3 |
| low | Obfuscation | package/local-dist-new/bot/actions/process.js | matched "\\x1B" | 3 |
| low | Obfuscation | package/local-dist-new/ml/kit/sanitize-unicode.js | matched "fromCharCode" | 3 |
| low | Obfuscation | package/local-dist-new/IndusForge/terminal-chat.js | matched "\\u2022" | 3 |
| low | Obfuscation | package/local-dist-new/ui/utils.js | matched "\\uFE0F" | 3 |
Remote payloads
Followed remote artifacts
| Source | URL | Risk | Score | Summary |
|---|---|---|---|---|
| dependencies.xlsx | https://cdn.sheetjs.com/xlsx-0.20.3/xlsx-0.20.3.tgz | review | 27 | obfuscation: matched "\\u0000" |
Manifest
Package metadata
Scripts6
buildtsc -p tsconfig.build.jsoncleanrm -rf local-dist-newdevtsc -p tsconfig.build.json --watch --preserveWatchOutputprepublishOnlynpm run clean && npm run buildtestvitest --runtest:watchvitest
Dependencies41
@anthropic-ai/sdk0.71.2@aws-sdk/client-bedrock-runtime^3.966.0@composio/core^0.6.8@google/genai1.34.0@lmstudio/sdk^1.5.0@mariozechner/clipboard^0.3.0@mariozechner/jiti^2.6.2@mistralai/mistralai1.10.0@modelcontextprotocol/sdk^1.24.0@silvia-odwyer/photon-node^0.3.4@sinclair/typebox^0.34.41@types/mime-types^2.1.4ajv^8.17.1ajv-formats^3.0.1chalk^5.5.0cli-highlight^2.1.11croner^8.1.2diff^8.0.2docx-preview^0.3.7file-type^21.1.1get-east-asian-width^1.3.0glob^11.0.3ink^5.2.1jszip^3.10.1lucide^0.544.0marked^15.0.12mime-types^3.0.1minimatch^10.1.1ollama^0.6.0openai6.10.0- …and 11 more.