Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Weekly downloads
- 2,074Niche · −30% score
- Versions published
- 124
- First published
- Mar 2026
- Publisher
- adarsh.agrahari26
Effective trust discount applied: −30% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Block this updateStatic evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"high"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"high"}'Why flagged
What the scanner saw
Credential file access: matched "GITHUB_TOKEN"
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (5 events)
- available → available · risk high · score 67 · status available -> available, risk high -> high, score 97 -> 67
- available → available · risk high · score 97 · status available -> available, risk high -> high, score 32 -> 97
- scan_error → available · risk high · score 32 · status scan_error -> available, risk none -> high, score none -> 32
- new → scan_error · risk none · score — · HTTP status client error (404 Not Found) for url (https://registry.npmjs.org/nexus-prime/-/nexus-prime-7.9.31.tgz)
- new → scan_error · risk none · score — · HTTP status client error (404 Not Found) for url (https://registry.npmjs.org/nexus-prime/-/nexus-prime-7.9.31.tgz)
Evidence
Static findings
5 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | Credential file access | package/dist/engines/github-bridge.js | matched "GITHUB_TOKEN" | 30 |
| high | Credential file access | package/dist/engines/guardrails-bridge.js | matched "GITHUB_TOKEN" | 30 |
| high | Install Lifecycle Remote Or Exec | package.json | postinstall="node -e \"const fs=require('fs'); const cleanup='dist/postinstall/cleanup.js'; if (fs.existsSync(cleanup)) { import('./'+cleanup).catch(()=>{}); } const p='dist/postinstall-bootstrap.js'; if (fs.existsSync(p)) { import('./'+p); }\"" | 30 |
| medium | Remote Payload | package/dist/engines/guardrails-bridge.js | matched "raw.githubusercontent.com" | 12 |
Show all 5 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | Credential file access | package/dist/engines/github-bridge.js | matched "GITHUB_TOKEN" | 30 |
| high | Credential file access | package/dist/engines/guardrails-bridge.js | matched "GITHUB_TOKEN" | 30 |
| high | Install Lifecycle Remote Or Exec | package.json | postinstall="node -e \"const fs=require('fs'); const cleanup='dist/postinstall/cleanup.js'; if (fs.existsSync(cleanup)) { import('./'+cleanup).catch(()=>{}); } const p='dist/postinstall-bootstrap.js'; if (fs.existsSync(p)) { import('./'+p); }\"" | 30 |
| medium | Remote Payload | package/dist/engines/guardrails-bridge.js | matched "raw.githubusercontent.com" | 12 |
| low | Install-time lifecycle script | package.json | postinstall="node -e \"const fs=require('fs'); const cleanup='dist/postinstall/cleanup.js'; if (fs.existsSync(cleanup)) { import('./'+cleanup).catch(()=>{}); } const p='dist/postinstall-bootstrap.js'; if (fs.existsSync(p)) { import('./'+p); }\"" | 5 |
Manifest
Package metadata
Scripts21
audit:prodnpm audit --omit=devbuildtsc && chmod +x dist/cli.js && mkdir -p dist/dashboard/app && cp -R src/dashboard/app/. dist/dashboard/app/ && cp src/dashboard/welcome.html dist/dashboard/welcome.html && mkdir -p dist/engines/data && cp src/engines/data/*.json dist/engines/data/ && mkdir -p dist/migrations && cp -R src/migrations/. dist/migrations/cleannode -e "require('fs').rmSync('dist', { recursive: true, force: true })"devtsc --watchgenerate:competitive-landscapetsx scripts/generate-competitive-landscape.tsgenerate:readme-catalogtsx scripts/generate-readme-runtime-catalog.tsinitnode dist/cli.js initlinteslint src --ext .tsnexus:devnode dev-orchestrator.mjspostinstallnode -e "const fs=require('fs'); const cleanup='dist/postinstall/cleanup.js'; if (fs.existsSync(cleanup)) { import('./'+cleanup).catch(()=>{}); } const p='dist/postinstall-bootstrap.js'; if (fs.existsSync(p)) { import('./'+p); }"prebuildnpm run cleanpreparegit config core.hooksPath .hooks || trueprepushtsx scripts/check-file-sizes.ts && tsx scripts/perf-bench.tsqa:releasenpm run build && npm run lint && npm test && npm pack --dry-run && npm run audit:prod && npm run smoke:releasesize-checktsx scripts/check-file-sizes.tssmoke:releasetsx scripts/release-smoke.tsstartnode dist/cli.js starttestnpm run build && tsx test/basic.test.ts && tsx test/memory.test.ts && tsx test/memory-regressions.test.ts && tsx test/memory-bridge.test.ts && tsx test/automation-runtime.test.ts && tsx test/session-dna-search.test.ts && tsx test/channel-gateway.test.ts && tsx test/semantic-ranking.test.ts && tsx test/storage-maintenance.test.ts && tsx test/ngram-index.test.ts && tsx test/security-shield.test.ts && tsx test/compaction-sentinel.test.ts && tsx test/context-compressor.test.ts && tsx test/embedder.test.ts && tsx test/skill-learner.test.ts && tsx test/skill-distribution.test.ts && tsx test/darwin-integration.test.ts && tsx test/github-bridge.test.ts && tsx test/telemetry-remote.test.ts && tsx test/orchestrator-engine.test.ts && tsx test/phase9.test.ts && tsx test/work-ledger.test.ts && tsx src/verify-token-scoring.ts && tsx test/phantom.test.ts && tsx test/rag-collections.test.ts && tsx test/dashboard.test.ts && tsx test/docs.test.ts && tsx test/competitive-landscape.test.ts && tsx test/runtime-upgrade-path.test.ts && tsx test/runtime-setup.test.ts && tsx test/control-plane-integration.test.ts && tsx test/runtime-timeout.test.ts && tsx test/mcp-dashboard-contract.test.ts && tsx test/dashboard-surfaces.test.ts && tsx test/startup-and-runtime-regressions.test.ts && tsx test/mcp-readiness-truth.test.ts && tsx test/mcp-stdio-session.test.ts && tsx test/kernel-context.test.ts && tsx test/kernel-execution.test.ts && tsx test/kernel-runtime.test.ts && tsx test/adapter-boundary.test.ts && tsx test/mcp-deprecation.test.ts && tsx test/dashboard-mutations.test.ts && tsx test/dashboard-agent-control.test.ts && tsx test/dashboard-runtime-adapters.test.ts && tsx test/hooks-adapter.test.ts && tsx test/admin-adapter.test.ts && tsx test/pkg-subexport.test.ts && tsx test/dashboard-sse-only.test.ts && tsx test/license-sync-offline.test.ts && tsx test/mcp-killlist-v2.test.ts && tsx test/uninstall.test.ts && tsx test/uninstall-lifecycle.test.ts && tsx test/install-arch-upgrade.test.ts && tsx test/unregister-configs.test.ts && tsx test/cleanup-storage.test.ts && tsx test/dashboard-memory-truthfulness.test.ts && tsx test/runtime-lifecycle.test.ts && tsx test/orchestrate-pipeline.test.ts && tsx test/daemon-supervisor.test.ts && tsx test/auto-optimize-tokens.test.ts && npm run test:synapse && npm run test:architects && npm run test:publictest:architectstsx src/architects/__tests__/run.tstest:publictsx test/public-surface.test.tstest:synapsetsx src/synapse/__tests__/run.ts
Dependencies10
@modelcontextprotocol/sdk^1.27.1better-sqlite3^12.6.2commander^11.1.0dotenv^16.3.1express^4.18.2js-yaml^4.1.1pino^8.17.2uuid^14.0.0ws^8.20.1zod^3.22.4