Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Versions published
- 131Mature · −50% score
- First published
- Mar 2022
- Publisher
- scopsy
Effective trust discount applied: −50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Block this updateStatic evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"high"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"high"}'Why flagged
What the scanner saw
Webhook Exfil Endpoint: matched "ngrok.app"
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk high · score 22 · status changed
Evidence
Static findings
2 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | Webhook Exfil Endpoint | package/dist/src/index.js | matched "ngrok.app" | 40 |
Show all 2 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | Webhook Exfil Endpoint | package/dist/src/index.js | matched "ngrok.app" | 40 |
| low | Credential file access | package/dist/src/commands/connect/ui/index.mjs | matched ".aws/" | 5 |
Manifest
Package metadata
Scripts18
buildpnpm prebuild && tsc -p tsconfig.json && tsc -p tsconfig.ui.json && node scripts/build-ui.mjs && cp -r src/commands/init/templates/app* dist/src/commands/init/templates && cp -r src/commands/init/templates/github dist/src/commands/init/templates && cp -r src/commands/wizard/skills/content dist/src/commands/wizard/skillsbuild:prodpnpm prebuild && pnpm buildcheckbiome check .check:fixbiome check --write .prebuildrimraf distprecommitlint-stagedprint:project-pathecho "$PWD" | sed 's|.*/novu/||'startpnpm start:devstart:debugcross-env nodemon --config nodemon-debug.jsonstart:devcross-env NODE_ENV=dev NOVU_EMBED_PATH=http://127.0.0.1:4701/embed.umd.min.js NOVU_API_ADDRESS=http://127.0.0.1:3000 NOVU_CLIENT_LOGIN=http://127.0.0.1:4200/auth/login CLI_SEGMENT_WRITE_KEY=GdQ594CEBj4pU6RFldDOjKJwZjxZOsIj nodemon initstart:dev:modecross-env NODE_ENV=dev CLI_SEGMENT_WRITE_KEY=GdQ594CEBj4pU6RFldDOjKJwZjxZOsIj nodemon dev --dashboard-url http://localhost:4201start:init:modecross-env NODE_ENV=dev nodemon initstart:modecross-env NODE_ENV=dev CLI_SEGMENT_WRITE_KEY=GdQ594CEBj4pU6RFldDOjKJwZjxZOsIj nodemonstart:prodcross-env node dist/src/index.jsstart:sync:modecross-env NODE_ENV=dev CLI_SEGMENT_WRITE_KEY=GdQ594CEBj4pU6RFldDOjKJwZjxZOsIj nodemon syncstart:testcross-env NODE_ENV=test PORT=1336 nodemon inittestvitesttest:watchvitest --watch
Dependencies42
@anthropic-ai/claude-agent-sdk^0.2.114@babel/parser^7.29.0@inkjs/ui2.0.0@novu/framework2.11.1@novu/ntfr-client^0.0.5@novu/shared2.7.0@segment/analytics-node^1.1.4async-sema3.0.1axios^1.17.0chalk4.1.2cli-highlight2.1.11cli-table30.6.5clipboardy4.0.0commander^9.0.0configstore^5.0.0cross-spawn7.0.5diff9.0.0dotenv^16.6.1esbuild^0.25.0fast-glob3.3.1figures6.1.0form-data^4.0.5get-port^5.1.1gradient-string^2.0.0ink^7.0.1ink-scroll-view^0.3.6inquirer^8.2.0jwt-decode^3.1.2marked12.0.2nanostores1.2.0- …and 12 more.