Package evidence

[email protected]

DNS / OAST exfiltration: matched "dns.resolve"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Publisher: GitHub ActionsTrusted automation · −70% score

Effective trust discount applied: −70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"high"}'

PublisherGitHub Actions

Artifact bytes83,910

Previous version5.10.7

Published2026-05-15T14:06:32.242Z

SHA-2566b6305d5009891beec657a8678551e6e158b3e23e5bddafb2e43fef2f882d0f4

Why flagged

What the scanner saw

DNS / OAST exfiltration: matched "dns.resolve"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

high

23d agoLast checked

highRisk

229Score

5.10.8Version

Status history (1 event)

new → available23d ago · risk high · score 229 · status changed

Related candidates

Linked campaigns and clusters

Repeated static TTPstale

Install Lifecycle Remote Or Exec — prepare="bash -lc 'if [ -f scripts/install-pre-commit.sh ]; then bash scripts/install-pre-commit.sh; else echo \"skipping install-pre-commit; script missing\"; fi'"

2 members · evidence strength 70

Evidence

Static findings

19 static · 0 from release diff · showing high-signal first.

Severity	Kind	Path	Detail	Points
high	DNS / OAST exfiltration	package/build/tools/network/dig/index.js	matched "dns.resolve"	30
high	DNS / OAST exfiltration	package/build/tools/network/nslookup/index.js	matched "dns.lookup"	30
high	Credential file access	package/build/tools/network/scp/index.js	matched ".ssh"	30
high	Credential file access	package/build/tools/network/ssh/index.js	matched ".ssh"	30
high	Install Lifecycle Remote Or Exec	package.json	prepare="bash -lc 'if [ -f scripts/install-pre-commit.sh ]; then bash scripts/install-pre-commit.sh; else echo \"Skipping install-pre-commit; script missing\"; fi'"	30
medium	Remote Payload	package/build/index.js	matched "curl "	12
medium	Remote Payload	package/build/tools/ansible/show_ansible_reference/index.js	matched "curl\n\n"	12
medium	Remote Payload	package/build/tools/crypto/generate_basic_auth/index.js	matched "curl "	12
medium	Remote Payload	package/build/tools/network/curl/index.js	matched "curl "	12

Show all 19 findings (low-signal and informational)

Severity	Kind	Path	Detail	Points
high	DNS / OAST exfiltration	package/build/tools/network/dig/index.js	matched "dns.resolve"	30
high	DNS / OAST exfiltration	package/build/tools/network/nslookup/index.js	matched "dns.lookup"	30
high	Credential file access	package/build/tools/network/scp/index.js	matched ".ssh"	30
high	Credential file access	package/build/tools/network/ssh/index.js	matched ".ssh"	30
high	Install Lifecycle Remote Or Exec	package.json	prepare="bash -lc 'if [ -f scripts/install-pre-commit.sh ]; then bash scripts/install-pre-commit.sh; else echo \"Skipping install-pre-commit; script missing\"; fi'"	30
medium	Remote Payload	package/build/index.js	matched "curl "	12
medium	Remote Payload	package/build/tools/ansible/show_ansible_reference/index.js	matched "curl\n\n"	12
medium	Remote Payload	package/build/tools/crypto/generate_basic_auth/index.js	matched "curl "	12
medium	Remote Payload	package/build/tools/network/curl/index.js	matched "curl "	12
low	Install-time lifecycle script	package.json	prepare="bash -lc 'if [ -f scripts/install-pre-commit.sh ]; then bash scripts/install-pre-commit.sh; else echo \"Skipping install-pre-commit; script missing\"; fi'"	4
low	Obfuscation	package/build/index.js	matched "\\x08"	3
low	Obfuscation	package/build/tools/ansible/decrypt_ansible_vault/index.js	matched "Buffer.from(dataLines, 'base64"	3
low	Obfuscation	package/build/tools/crypto/decode_jwt/index.js	matched "Buffer.from(parts[0], 'base64"	3
low	Obfuscation	package/build/tools/data_format/format_json/index.js	matched "eval("	3
low	Obfuscation	package/build/tools/encoding/convert_text_to_binary/index.js	matched "fromCharCode"	3
low	Obfuscation	package/build/tools/encoding/decode_base64/index.js	matched "Buffer.from(text, 'base64"	3
low	Obfuscation	package/build/tools/forensic/identify_file_type/index.js	matched "Buffer.from(data, 'base64"	3
low	Obfuscation	package/build/tools/text/convert_text_to_unicode/index.js	matched "fromCharCode"	3
low	Obfuscation	package/build/tools/text/slugify_text/index.js	matched "\\u0300"	3

Manifest

Package metadata

Scripts19

buildnpm run sync:manifest || true && tsc && chmod +x build/index.js
build:dockertsc && chmod +x build/index.js
deploy:buildnpm run build && docker buildx build --platform linux/amd64,linux/arm64 --provenance=true --sbom=true -t it-tools-mcp:latest .
deploy:prodnpm run deploy:build && docker-compose up -d
devNODE_ENV=development MCP_DEV_MODE=true tsc && node build/index.js
dev:buildNODE_ENV=development tsc
docker:builddocker buildx build --platform linux/amd64,linux/arm64 --provenance=true --sbom=true -t it-tools-mcp .
docker:build:localdocker build -t it-tools-mcp .
docker:rundocker-compose up --build
docker:stopdocker-compose down
mcp:loginmcp-publisher login github
mcp:publishmcp-publisher publish
preparebash -lc 'if [ -f scripts/install-pre-commit.sh ]; then bash scripts/install-pre-commit.sh; else echo "Skipping install-pre-commit; script missing"; fi'
setup:hookschmod +x .git/hooks/pre-commit
startdocker-compose up --build
start:nodenode build/index.js
sync:manifestnode scripts/sync-manifest.mjs
testclear;node tests/test-server.mjs
test:allclear;node tests/all-tools-test.mjs

Dependencies34

@iarna/toml^2.2.5
@modelcontextprotocol/sdk^1.24.3
@types/js-yaml^4.0.9
@types/papaparse^5.3.16
@types/qrcode^1.5.5
bcryptjs^3.0.2
bip39^3.1.0
color^5.0.0
cron-parser^5.3.0
diff^8.0.2
emoji-js^3.8.1
figlet^1.8.1
html-to-text^9.0.5
iban^0.0.14
js-yaml^4.1.0
libphonenumber-js^1.12.9
marked^16.0.0
mathjs^15.2.0
mime-types^3.0.1
papaparse^5.5.3
ping^0.4.4
ps-list^8.1.1
qrcode^1.5.4
read-last-lines^1.8.0
shell-escape^0.2.0
speakeasy^2.0.0
sql-formatter^15.6.6
ssh2^1.16.0
telnet-client^2.2.5
turndown^7.2.0
…and 4 more.