Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Publisher
- GitHub ActionsTrusted automation · −70% score
Effective trust discount applied: −70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Block this updateStatic evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"high"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"high"}'Why flagged
What the scanner saw
Obfuscation Density: high encoded/escaped-token density
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk high · score 168 · status changed
Evidence
Static findings
29 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Obfuscation Density | package/dist/src/browser.cjs | high encoded/escaped-token density | 12 |
| medium | Remote Payload | package/dist/index.cjs | matched "cUrl " | 12 |
| medium | Obfuscation Density | package/dist/index.cjs | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/src/agents/index.cjs | high encoded/escaped-token density | 12 |
| medium | Remote Payload | package/dist/src/react/index.cjs | matched "cUrl " | 12 |
| medium | Remote Payload | package/dist/src/server/index.cjs | matched "cUrl " | 12 |
| medium | Remote Payload | package/dist/chunk-2M2JEBVY.js | matched "cUrl " | 12 |
| medium | Remote Payload | package/dist/index.js | matched "cUrl " | 12 |
| medium | Remote Payload | package/dist/src/react/index.js | matched "cUrl " | 12 |
Show all 29 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Obfuscation Density | package/dist/src/browser.cjs | high encoded/escaped-token density | 12 |
| medium | Remote Payload | package/dist/index.cjs | matched "cUrl " | 12 |
| medium | Obfuscation Density | package/dist/index.cjs | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/src/agents/index.cjs | high encoded/escaped-token density | 12 |
| medium | Remote Payload | package/dist/src/react/index.cjs | matched "cUrl " | 12 |
| medium | Remote Payload | package/dist/src/server/index.cjs | matched "cUrl " | 12 |
| medium | Remote Payload | package/dist/chunk-2M2JEBVY.js | matched "cUrl " | 12 |
| medium | Remote Payload | package/dist/index.js | matched "cUrl " | 12 |
| medium | Remote Payload | package/dist/src/react/index.js | matched "cUrl " | 12 |
| low | Obfuscation | package/dist/src/browser.cjs | matched "\\u274C" | 3 |
| low | Obfuscation | package/dist/src/client.cjs | matched "\\u274C" | 3 |
| low | Obfuscation | package/dist/src/auth/index-node.cjs | matched "atob(" | 3 |
| low | Obfuscation | package/dist/index.cjs | matched "\\u274C" | 3 |
| low | Obfuscation | package/dist/src/adapters/index.cjs | matched "\\u274C" | 3 |
| low | Obfuscation | package/dist/src/agents/index.cjs | matched "\\u274C" | 3 |
| low | Obfuscation | package/dist/src/auth/index.cjs | matched "atob(" | 3 |
| low | Obfuscation | package/dist/src/react/index.cjs | matched "\\u274C" | 3 |
| low | Obfuscation | package/dist/src/server/index.cjs | matched "\\u274C" | 3 |
| low | Obfuscation | package/dist/src/browser.js | matched "\\u2705" | 3 |
| low | Obfuscation | package/dist/chunk-7GLJGAAF.js | matched "\\u26A0" | 3 |
| low | Obfuscation | package/dist/chunk-MMRBRXYD.js | matched "atob(" | 3 |
| low | Obfuscation | package/dist/chunk-NDBBBXYZ.js | matched "\\u2705" | 3 |
| low | Obfuscation | package/dist/chunk-PBRJ6OQS.js | matched "atob(" | 3 |
| low | Obfuscation | package/dist/chunk-QWQYAQCK.js | matched "\\u274C" | 3 |
| low | Obfuscation | package/dist/chunk-T3NTW3VV.js | matched "\\u26A0" | 3 |
| low | Obfuscation | package/dist/display-T5DUYBJN.js | matched "\\u2728" | 3 |
| low | Obfuscation | package/dist/index.js | matched "\\u2705" | 3 |
| low | Obfuscation | package/dist/src/react/index.js | matched "\\u2705" | 3 |
| low | Obfuscation | package/dist/src/server/index.js | matched "fromCharCode" | 3 |
Manifest
Package metadata
Scripts65
buildnpm run generate:version && rimraf dist && tsup && tsc --emitDeclarationOnly --declarationexample:add_servertsx examples/typescript/agent/server-management/add_server_tool.tsexample:ai_sdktsx examples/typescript/agent/frameworks/ai_sdk_example.tsexample:airbnbtsx examples/typescript/agent/integrations/airbnb_use.tsexample:blendertsx examples/typescript/agent/integrations/blender_use.tsexample:browsertsx examples/typescript/agent/integrations/browser_use.tsexample:browser:fulltsx examples/client/browser/full-features-example.tsexample:chattsx examples/typescript/agent/basic/chat_example.tsexample:client:completiontsx examples/client/node/communication/completion-client.tsexample:client:notificationtsx examples/client/node/communication/notification-client.tsexample:client:oauth:auth0tsx examples/typescript/server/oauth/auth0/src/server.tsexample:client:oauth:keycloaktsx examples/typescript/server/oauth/keycloak/src/server.tsexample:client:oauth:workostsx examples/typescript/server/oauth/workos/src/server.tsexample:client:samplingtsx examples/client/node/communication/sampling-client.tsexample:code_modetsx examples/typescript/agent/code-mode/code_mode_example.tsexample:code_mode_e2bsource .env 2>/dev/null || true && tsx examples/typescript/agent/code-mode/code_mode_e2b_example.tsexample:commonjsnode examples/client/browser/commonjs/commonjs_example.cjsexample:completionlsof -ti:3000 | xargs kill -9 2>/dev/null; tsx examples/server/features/completion/src/server.ts & sleep 6 && tsx examples/client/node/communication/completion-client.tsexample:everythingtsx examples/typescript/agent/basic/mcp_everything.tsexample:filesystemtsx examples/typescript/agent/integrations/filesystem_use.tsexample:httptsx examples/typescript/client/basic/http_example.tsexample:multitsx examples/typescript/agent/server-management/multi_server_example.tsexample:node:fulltsx examples/client/node/full-features-example.tsexample:notificationslsof -ti:3000 | xargs kill -9 2>/dev/null; tsx examples/server/features/notifications/src/server.ts & sleep 3 && tsx examples/client/node/communication/notification-client.tsexample:observabilitytsx examples/typescript/agent/advanced/observability.tsexample:samplinglsof -ti:3000 | xargs kill -9 2>/dev/null; tsx examples/server/features/sampling/src/server.ts & sleep 3 && tsx examples/client/node/communication/sampling-client.tsexample:server:completiontsx examples/server/features/completion/src/server.tsexample:server:dns-rebindingpnpm --dir examples/server/features/dns-rebinding devexample:server:elicitationtsx examples/server/features/elicitation/src/server.tsexample:server:mcp-appstsx examples/server/ui/mcp-apps/index.ts- …and 35 more.
Dependencies12
@hono/node-server^1.19.13@mcp-ui/server^6.1.0@mcp-use/cli3.2.1-canary.16@mcp-use/inspector7.0.0-canary.16@modelcontextprotocol/ext-apps^1.0.1@modelcontextprotocol/sdk^1.26.0express^5.2.1hono^4.12.12jose^6.1.3node-mocks-http^1.17.2posthog-js^1.351.3posthog-node^5.24.17
Optional dependencies3
chalk^5.6.2cli-highlight^2.1.11redis^5.10.0