PkgRadar

Package evidence

[email protected]

Remote Payload: matched "raw.githubusercontent.com"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
6,815Niche · −30% score
Versions published
535Mature · −50% score
First published
Dec 2014
Publisher
GitHub ActionsTrusted automation · −70% score

Effective trust discount applied: 70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"review"}'
PublisherGitHub Actions
Artifact bytes33,304,275
Previous version7.9.1
Published2026-06-15T09:41:21.871Z
SHA-256ab34308f622c6dd7398686cc5203bf96fff1f386211657aea79ddf82a831ac78

Why flagged

What the scanner saw

Remote Payload: matched "raw.githubusercontent.com"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
3Score
7.9.2Version
Status history (1 event)
  1. newavailable · risk review · score 3 · status changed

Evidence

Static findings

11 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
mediumRemote Payloadpackage/adminWww/assets/Hosts-Bg8QzW5i.jsmatched "raw.githubusercontent.com"12
Show all 11 findings (low-signal and informational)
SeverityKindPathDetailPoints
mediumRemote Payloadpackage/adminWww/assets/Hosts-Bg8QzW5i.jsmatched "raw.githubusercontent.com"12
lowLarge Javascript Payloadpackage/adminWww/assets/bootstrap-COulQZax.js2963640 bytes0
lowLarge Javascript Payloadpackage/admin/custom/assets/index-6_mKOTxB.js3869923 bytes0
lowObfuscation Densitypackage/adminWww/assets/index-8HslT92O.jshigh encoded/escaped-token density0
lowLarge Javascript Payloadpackage/admin/custom/assets/index-CiYybikp.js3870122 bytes0
lowLarge Javascript Payloadpackage/admin/custom/assets/index-Drg0QIRU.js3870122 bytes0
lowLarge Javascript Payloadpackage/admin/custom/assets/index-IIKn7Ixx.js3869923 bytes0
lowLarge Javascript Payloadpackage/adminWww/assets/index-jy_3EbfW.js3870114 bytes0
lowLarge Javascript Payloadpackage/admin/custom/assets/index-ZPb95xPG.js3869923 bytes0
lowLarge Javascript Payloadpackage/adminWww/assets/Objects-DPan0bzw.js3322140 bytes0
lowObfuscation Densitypackage/adminWww/static/js/worker-html.jshigh encoded/escaped-token density0

Manifest

Package metadata

Scripts28
  • buildnpm run build:frontend && npm run build:backend
  • build:backendtsc -p tsconfig.build.json && tsx tasks.mts --backend-i18n
  • build:frontendtsx tasks.mts
  • cleanrimraf src-admin/build
  • lintnpm run lint-backend && cd src-admin && npm run lint
  • lint-backendeslint -c eslint.config.mjs src
  • npmnpm i -f && cd src-admin && npm i -f
  • prepublishOnlynpm run build
  • react-0-configCSStsx tasks.mts --react-0-configCSS
  • react-0-iobCSStsx tasks.mts --react-0-iobCSS
  • react-0-treeTableCSStsx tasks.mts --react-0-treeTableCSS
  • react-1-cleantsx tasks.mts --react-1-clean
  • react-2-npmtsx tasks.mts --react-2-npm
  • react-3-buildtsx tasks.mts --react-3-build
  • react-5-copytsx tasks.mts --react-5-copy
  • react-6-patchtsx tasks.mts --react-6-patch
  • releaserelease-script
  • release-majorrelease-script major --yes
  • release-minorrelease-script minor --yes
  • release-patchrelease-script patch --yes
  • startcd src-admin && npm run start
  • testnpm run test:package && npm run test:unit
  • test:guimocha test/*.gui.js --exit
  • test:integrationmocha test/integration --exit && npm run test:gui && npm run test:rule && npm run test:unit
  • test:packagemocha test/package --exit
  • test:rulemocha test/rule --exit
  • test:unitmocha test/unit --exit
  • update-packagesnpx -y npm-check-updates --upgrade && cd src-admin && npx -y npm-check-updates --upgrade
Dependencies17
  • @iobroker/adapter-core^3.4.1
  • @iobroker/plugin-docker^1.0.3
  • @iobroker/socket-classes^2.3.4
  • @iobroker/webserver^1.4.0
  • @iobroker/ws^3.1.0
  • @iobroker/ws-server^4.4.1
  • ajv^8.20.0
  • archiver^8.0.0
  • body-parser^2.2.2
  • compression^1.8.1
  • express^5.2.1
  • express-fileupload^1.5.2
  • express-session^1.19.0
  • iobroker.mcp^1.0.0
  • json5^2.2.3
  • mime^3.0.0
  • semver^7.8.3