Package evidence
[email protected]
Remote Dependency Spec: dependencies.@hop/hiphop="https://www-sop.inria.fr/members/Manuel.Serrano/software/npmx/hiphop-unstable.tgz"
Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Weekly downloads
- 7
- Versions published
- 8
- First published
- Nov 2025
- Publisher
- hedelin
Recommended action
Block this updateStatic evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"high"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"high"}'Why flagged
What the scanner saw
Remote Dependency Spec: dependencies.@hop/hiphop="https://www-sop.inria.fr/members/Manuel.Serrano/software/npmx/hiphop-unstable.tgz"
2 candidate cluster(s) currently reference this release. 1 remote tarball(s) were followed statically.
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk high · score 36 · status changed
Related candidates
Linked campaigns and clusters
https://www-sop.inria.fr/members/Manuel.Serrano/software/npmx/hiphop-unstable.tgz
2 members · evidence strength 6126eb1217e2758ff38e09eb48e606fa6c56bcea6052741ff78f43ca8cb7c39026
2 members · evidence strength 66https://www-sop.inria.fr/members/Manuel.Serrano/software/npmx/hiphop-unstable.tgz
2 members · max score 2426eb1217e2758ff38e09eb48e606fa6c56bcea6052741ff78f43ca8cb7c39026
2 members · max score 24Evidence
Static findings
2 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | Remote Dependency Spec | package.json | dependencies.@hop/hiphop="https://www-sop.inria.fr/members/Manuel.Serrano/software/npmx/hiphop-unstable.tgz" | 12 |
Show all 2 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | Remote Dependency Spec | package.json | dependencies.@hop/hiphop="https://www-sop.inria.fr/members/Manuel.Serrano/software/npmx/hiphop-unstable.tgz" | 12 |
| low | Obfuscation Density | package/client/clientListe/Sortable-master/package-lock.json | high encoded/escaped-token density | 0 |
Remote payloads
Followed remote artifacts
| Source | URL | Risk | Score | Summary |
|---|---|---|---|---|
| dependencies.@hop/hiphop | https://www-sop.inria.fr/members/Manuel.Serrano/software/npmx/hiphop-unstable.tgz | high | 24 | remote_dependency_spec: dependencies.@hop/hopc="https://www-sop.inria.fr/members/Manuel.Serrano/software/npmx/hopc.tgz" |
Manifest
Package metadata
Scripts6
check:hhprettier "**/*.hh.js" --checkcontrhhnode scripts/contrhh-cli.mjs --port 8080format:hhnode scripts/format-hh.mjsformat:hh:customnode scripts/format-hh.mjsformat:hh:prettierprettier "**/*.hh.js" --writetestecho "Error: no test specified" && exit 1
Dependencies13
@hop/hiphophttps://www-sop.inria.fr/members/Manuel.Serrano/software/npmx/hiphop-unstable.tgzabletonlink^0.2.0-beta.0browserify^17.0.0csv-array^0.0.22decache^4.6.0express^4.17.1jquery^3.7.1jsuites^6.0.1midi^2.0.0osc-min^1.1.2popper.js^1.16.1react^19.2.3ws^7.4.5