Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Weekly downloads
- 2,241Niche · −30% score
- Versions published
- 56Established · −30% score
- First published
- Dec 2025
- Publisher
- veerareddyvishal56
Effective trust discount applied: −30% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Block this updateStatic evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"high"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"high"}'Why flagged
What the scanner saw
New Lifecycle Script Vs Previous: postinstall added in 9.5.0 vs 9.4.6: "node scripts/check-native.js"
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk high · score 74 · status changed
Evidence
Static findings
4 static · 1 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | New Lifecycle Script Vs Previous | package.json | postinstall added in 9.5.0 vs 9.4.6: "node scripts/check-native.js" | 40 |
| medium | Remote Payload | package/src/routing/model-registry.js | matched "raw.githubusercontent.com" | 12 |
| medium | Remote Payload | package/benchmark-configs/portkey-docker.sh | matched "curl " | 12 |
Show all 5 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | New Lifecycle Script Vs Previous | package.json | postinstall added in 9.5.0 vs 9.4.6: "node scripts/check-native.js" | 40 |
| medium | Remote Payload | package/src/routing/model-registry.js | matched "raw.githubusercontent.com" | 12 |
| medium | Remote Payload | package/benchmark-configs/portkey-docker.sh | matched "curl " | 12 |
| low | Credential file access | package/src/training/trajectory-compressor.js | matched "AWS_ACCESS_KEY" | 5 |
| low | Install-time lifecycle script | package.json | postinstall="node scripts/check-native.js" | 5 |
Manifest
Package metadata
Scripts15
devnodemon index.jslinteslint src index.jspostinstallnode scripts/check-native.jsprestartnode -e "if(process.env.HEADROOM_ENABLED==='true'&&process.env.HEADROOM_DOCKER_ENABLED!=='false'){process.exit(0)}else{process.exit(1)}" && docker compose --profile headroom up -d --build headroom 2>/dev/null || echo 'Headroom skipped (disabled or Docker not running)'rebuild-nativenode scripts/check-native.jsstartnode index.js 2>&1 | npx pino-pretty --syncstopnode -e "if(process.env.HEADROOM_ENABLED==='true'&&process.env.HEADROOM_DOCKER_ENABLED!=='false'){process.exit(0)}else{process.exit(1)}" && docker compose --profile headroom down || echo 'Headroom skipped (disabled or Docker not running)'testnpm run test:unit && npm run test:performancetest:allnpm run test:unit && npm run test:performance && npm run test:benchmarktest:benchmarkDATABRICKS_API_KEY=test-key DATABRICKS_API_BASE=http://test.com node test/performance-benchmark.jstest:memoryDATABRICKS_API_KEY=test-key DATABRICKS_API_BASE=http://test.com node --test test/memory/store.test.js test/memory/surprise.test.js test/memory/extractor.test.js test/memory/search.test.js test/memory/retriever.test.jstest:new-featuresDATABRICKS_API_KEY=test-key DATABRICKS_API_BASE=http://test.com node --test test/passthrough-mode.test.js test/openrouter-error-resilience.test.js test/format-conversion.test.jstest:performanceDATABRICKS_API_KEY=test-key DATABRICKS_API_BASE=http://test.com node test/hybrid-routing-performance.test.js && DATABRICKS_API_KEY=test-key DATABRICKS_API_BASE=http://test.com node test/performance-tests.jstest:quickDATABRICKS_API_KEY=test-key DATABRICKS_API_BASE=http://test.com node --test test/routing.test.jstest:unitDATABRICKS_API_KEY=test-key DATABRICKS_API_BASE=http://test.com node --test test/routing.test.js test/hybrid-routing-integration.test.js test/web-tools.test.js test/passthrough-mode.test.js test/openrouter-error-resilience.test.js test/format-conversion.test.js test/azure-openai-config.test.js test/azure-openai-format-conversion.test.js test/azure-openai-routing.test.js test/azure-openai-streaming.test.js test/azure-openai-error-resilience.test.js test/azure-openai-integration.test.js test/openai-integration.test.js test/toon-compression.test.js test/llamacpp-integration.test.js test/resilience.test.js test/telemetry-routing.test.js test/memory/store.test.js test/memory/surprise.test.js test/memory/extractor.test.js test/memory/search.test.js test/memory/retriever.test.js test/distill.test.js test/large-payload.test.js test/code-mode.test.js test/prompt-cache-injection.test.js test/risk-analyzer.test.js test/interaction-block.test.js test/preflight.test.js test/token-reduction.test.js test/session-affinity.test.js test/model-registry-cost.test.js
Dependencies19
@azure/openai^2.0.0@babel/parser^7.29.0@babel/traverse^7.29.0@toon-format/toon^2.1.0cockatiel^3.2.1compression^1.7.4diff^5.2.0dotenv^16.4.5express^5.1.0express-rate-limit^8.2.1fast-glob^3.3.2hnswlib-node^3.0.0js-tiktoken^1.0.20js-yaml^4.1.1openai^6.14.0pino^8.17.2pino-http^8.6.0pino-roll^4.0.0undici^6.22.0
Optional dependencies6
better-sqlite3^12.6.2dockerode^4.0.2tree-sitter^0.21.1tree-sitter-javascript^0.21.0tree-sitter-python^0.21.0tree-sitter-typescript^0.21.0