Recommended action
Block this updateStatic evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"high"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"high"}'Why flagged
What the scanner saw
Remote Payload: matched "curl "
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk high · score 270 · status changed
Related candidates
Linked campaigns and clusters
nolotus
4 members · evidence strength 84Evidence
Static findings
72 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Remote Payload | package/agentRecordHelpers.ts | matched "curl " | 12 |
| medium | Remote Payload | package/server/payments/crypto/cryptoUsdcBaseConfig.ts | matched "cUrl " | 12 |
| medium | Remote Payload | package/auth/server/emailAutomationTemplates.ts | matched "cUrl " | 12 |
| medium | Remote Payload | package/auth/server/emailScenarioNotifications.ts | matched "cUrl " | 12 |
| medium | Remote Payload | package/ai/tools/importSkillTool.ts | matched "raw.githubusercontent.com" | 12 |
| medium | Remote Payload | package/server/handlers/agentRun/toolExecutor.ts | matched "raw.githubusercontent.com" | 12 |
Show all 72 findings (low-signal and informational)
Showing 60 of 72 findings.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Remote Payload | package/agentRecordHelpers.ts | matched "curl " | 12 |
| medium | Remote Payload | package/server/payments/crypto/cryptoUsdcBaseConfig.ts | matched "cUrl " | 12 |
| medium | Remote Payload | package/auth/server/emailAutomationTemplates.ts | matched "cUrl " | 12 |
| medium | Remote Payload | package/auth/server/emailScenarioNotifications.ts | matched "cUrl " | 12 |
| medium | Remote Payload | package/ai/tools/importSkillTool.ts | matched "raw.githubusercontent.com" | 12 |
| medium | Remote Payload | package/server/handlers/agentRun/toolExecutor.ts | matched "raw.githubusercontent.com" | 12 |
| low | Obfuscation | package/server/handlers/activityStatsHandler.ts | matched "\\uffff" | 3 |
| low | Obfuscation | package/agentRunParsing.ts | matched "\\u4e00" | 3 |
| low | Obfuscation | package/server/handlers/appDomainHandler.ts | matched "\\xff" | 3 |
| low | Obfuscation | package/server/handlers/appSandboxHandler.ts | matched "\\xff" | 3 |
| low | Obfuscation | package/server/handlers/appSpaceAccess.ts | matched "\\xff" | 3 |
| low | Obfuscation | package/auth/server/billingUsageReport.ts | matched "\\uffff" | 3 |
| low | Obfuscation | package/server/handlers/chatHandler.ts | matched "\\x1b" | 3 |
| low | Obfuscation | package/cliEnvHelpers.ts | matched "Buffer.from(payload, \"base64" | 3 |
| low | Obfuscation | package/server/handlers/codeSearchHandler.ts | matched "\\u0000" | 3 |
| low | Obfuscation | package/client/compactDialog.ts | matched "Buffer.from(payloadBase64, \"base64" | 3 |
| low | Obfuscation | package/render/page/server/createPage.ts | matched "\\x20" | 3 |
| low | Obfuscation | package/render/page/createPageAction.ts | matched "\\x20" | 3 |
| low | Obfuscation | package/auth/server/creatorEarningsReport.ts | matched "\\uffff" | 3 |
| low | Obfuscation | package/auth/server/creatorSettlementReport.ts | matched "\\uffff" | 3 |
| low | Obfuscation | package/server/payments/crypto/cryptoUsdcBaseScanner.ts | matched "\\xff" | 3 |
| low | Obfuscation | package/server/payments/crypto/cryptoUsdtTronScanner.ts | matched "\\xff" | 3 |
| low | Obfuscation | package/auth/server/delete.ts | matched "\\xFF" | 3 |
| low | Obfuscation | package/database/server/delete.ts | matched "\\uffff" | 3 |
| low | Obfuscation | package/chat/messages/deleteMessages.ts | matched "\\uffff" | 3 |
| low | Obfuscation | package/database/table/deleteTable.ts | matched "\\uffff" | 3 |
| low | Obfuscation | package/render/table/deleteTableAction.ts | matched "\\uffff" | 3 |
| low | Obfuscation | package/server/handlers/desktopAgentRuntimeAdapter.ts | matched "\\uffff" | 3 |
| low | Obfuscation | package/server/handlers/agentRun/dialogLookup.ts | matched "\\uffff" | 3 |
| low | Obfuscation | package/chat/dialog/dialogSlice.ts | matched "\\uffff" | 3 |
| low | Obfuscation | package/auth/server/emailAutomation.ts | matched "\\xFF" | 3 |
| low | Obfuscation | package/auth/server/emailDelivery.ts | matched "\\xFF" | 3 |
| low | Obfuscation | package/database/server/emailRepository.ts | matched "\\uffff" | 3 |
| low | Obfuscation | package/auth/server/emailScenarioNotifications.ts | matched "\\xFF" | 3 |
| low | Obfuscation | package/chat/messages/fetchMessages.ts | matched "\\uffff" | 3 |
| low | Obfuscation | package/database/client/fetchUserData.ts | matched "\\uffff" | 3 |
| low | Obfuscation | package/create/space/member/fetchUserSpaceMembershipsAction.ts | matched "\\xff" | 3 |
| low | Obfuscation | package/server/handlers/geminiImagePreviewHandler.ts | matched "Buffer.from(img.data, \"base64" | 3 |
| low | Obfuscation | package/ai/tools/generateDocxTool.ts | matched "\\u00A0" | 3 |
| low | Obfuscation | package/app/utils/imageUtils.ts | matched "atob(" | 3 |
| low | Obfuscation | package/ai/chat/inlineImageUrlsForCustomProvider.ts | matched "fromCharCode" | 3 |
| low | Obfuscation | package/ai/tools/jdProductScraperTool.ts | matched "\\u4e00" | 3 |
| low | Obfuscation | package/database/keys.ts | matched "\\uffff" | 3 |
| low | Obfuscation | package/share/keys.ts | matched "\\uffff" | 3 |
| low | Obfuscation | package/auth/server/ledgerAudit.ts | matched "\\uffff" | 3 |
| low | Obfuscation | package/auth/server/ledgerWitness.ts | matched "\\uffff" | 3 |
| low | Obfuscation | package/auth/server/listusers.ts | matched "\\xFF" | 3 |
| low | Obfuscation | package/client/localRuntimeAdapter.ts | matched "\\uffff" | 3 |
| low | Obfuscation | package/server/handlers/machines/machineInstallAssets.ts | matched "\\u5199" | 3 |
| low | Obfuscation | package/ai/agent/machineRunPermissions.ts | matched "\\u5199" | 3 |
| low | Obfuscation | package/server/api/methods.ts | matched "\\xff" | 3 |
| low | Obfuscation | package/ai/token/modelUsageQuery.ts | matched "\\uffff" | 3 |
| low | Obfuscation | package/create/editor/plugins/normalizeChineseTypography.ts | matched "\\u3400" | 3 |
| low | Obfuscation | package/server/handlers/openaiImageHandler.ts | matched "Buffer.from(parsed.data, \"base64" | 3 |
| low | Obfuscation | package/pageWriteHelpers.ts | matched "\\u4e00" | 3 |
| low | Obfuscation | package/database/server/query.ts | matched "\\uffff" | 3 |
| low | Obfuscation | package/ai/memory/rank.ts | matched "\\u3400" | 3 |
| low | Obfuscation | package/share/server/readCommunityShareCover.ts | matched "Buffer.from(payload, \"base64" | 3 |
| low | Obfuscation | package/database/server/resourceAccess.ts | matched "\\uffff" | 3 |
| low | Obfuscation | package/auth/server/revenueShareReport.ts | matched "\\uffff" | 3 |
Manifest
Package metadata
Dependencies45
@hookform/resolvers^3.3.2@lobehub/icons^5.0.1@react-native-community/netinfo^11.5.0@reduxjs/toolkit^2.5.0@types/crypto-js^4.1.2@waffo/pancake-ts^0.5.2async-mutex^0.5.0browser-image-compression^2.0.2croner^8.0.1crypto-js^4.1.1date-fns-tz^2.0.0diff^8.0.2docxtemplater^3.67.5i18next^23.11.5iztro^2.5.8js-base64^3.7.7js-yaml^4.1.0level^10.0.0mdast-util-from-markdown^2.0.2mdast-util-gfm^3.0.0mermaid^11.6.0micromark-extension-gfm^3.0.0pdfjs-dist^5.2.133pino^9.9.0pizzip^3.2.0playwright^1.59.1rambda^8.6.0react^19.2.1react-dom^19.2.1react-hook-form^7.51.5- …and 15 more.