PkgRadar

Package evidence

[email protected]

Reverse Shell, Credential file access, New Account With Lifecycle Hook +3 more

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published
2
First published
Jul 2026
Publisher
srm0rgan

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"high"}'
Publishersrm0rgan
Artifact bytes7,794
Previous version1.0.0
Published2026-07-07T11:46:25.470Z
SHA-256f432a494a53852385704db66054f52ddaaa68510c278ad7f5c162f669d031002

Why flagged

What the scanner saw

Reverse Shell

1 candidate cluster(s) currently reference this release.

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

high
Last checked
highRisk
155Score
1.0.2Version
Status history (1 event)
  1. newavailable · risk high · score 155 · status changed

Related candidates

Linked campaigns and clusters

Publisher / release actor burstactive

Publisher burst: srm0rgan

18 members · evidence strength 84
Publisher / release actor burstcandidate

Publisher burst: srm0rgan

18 members · max score 245

Evidence

Static findings

9 static · 1 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
highReverse Shellmanifest40
highReverse Shellmanifest40
highNew Lifecycle Script Vs Previousmanifest40
highCredential file accessmanifest30
highCredential file accessmanifest30
highNew Account With Lifecycle Hookmanifest25
mediumSuspicious Publish Contextmanifest10
Show all 10 findings (low-signal and informational)
SeverityKindPathDetailPoints
highReverse Shellmanifest40
highReverse Shellmanifest40
highNew Lifecycle Script Vs Previousmanifest40
highCredential file accessmanifest30
highCredential file accessmanifest30
highNew Account With Lifecycle Hookmanifest25
mediumSuspicious Publish Contextmanifest10
lowCredential file accessmanifest5
lowCredential file accessmanifest5
lowInstall-time lifecycle scriptmanifest5

Manifest

Package metadata

Dependencies1
  • @paperclipai/adapter-utils^2026.626.0