PkgRadar

Package evidence

[email protected]

Remote Payload: matched "wget "

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"high"}'
Publisherstevenvelozo
Artifact bytes11,107,703
Previous version1.0.27
Published2026-05-22T01:38:00.575Z
SHA-25676ccf4abb67fc0af7ea08c46e04772590f9f2d9634d86f8269646ab198bd1e9a

Why flagged

What the scanner saw

Remote Payload: matched "wget "

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

high
Last checked
highRisk
110Score
1.0.28Version
Status history (1 event)
  1. newavailable · risk high · score 110 · status changed

Related candidates

Linked campaigns and clusters

Publisher / release actor burststale

stevenvelozo

6 members · evidence strength 84

Evidence

Static findings

14 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
mediumRemote Payloadpackage/html/codejar-bundle.jsmatched "wget "12
mediumObfuscation Densitypackage/html/codejar-bundle.jshigh encoded/escaped-token density12
mediumRemote Payloadpackage/web-application/codejar-bundle.jsmatched "wget "12
mediumObfuscation Densitypackage/web-application/codejar-bundle.jshigh encoded/escaped-token density12
mediumObfuscation Densitypackage/html/codemirror-bundle.jshigh encoded/escaped-token density12
mediumObfuscation Densitypackage/web-application/codemirror-bundle.jshigh encoded/escaped-token density12
mediumLarge Javascript Payloadpackage/web-application/retold-content-system.compatible.js3092366 bytes10
mediumLarge Javascript Payloadpackage/web-application/retold-content-system.js2932037 bytes10
Show all 14 findings (low-signal and informational)
SeverityKindPathDetailPoints
mediumRemote Payloadpackage/html/codejar-bundle.jsmatched "wget "12
mediumObfuscation Densitypackage/html/codejar-bundle.jshigh encoded/escaped-token density12
mediumRemote Payloadpackage/web-application/codejar-bundle.jsmatched "wget "12
mediumObfuscation Densitypackage/web-application/codejar-bundle.jshigh encoded/escaped-token density12
mediumObfuscation Densitypackage/html/codemirror-bundle.jshigh encoded/escaped-token density12
mediumObfuscation Densitypackage/web-application/codemirror-bundle.jshigh encoded/escaped-token density12
mediumLarge Javascript Payloadpackage/web-application/retold-content-system.compatible.js3092366 bytes10
mediumLarge Javascript Payloadpackage/web-application/retold-content-system.js2932037 bytes10
lowObfuscationpackage/html/codejar-bundle.jsmatched "\\u0410"3
lowObfuscationpackage/web-application/codejar-bundle.jsmatched "\\u0410"3
lowObfuscationpackage/html/codemirror-bundle.jsmatched "fromCharCode"3
lowObfuscationpackage/web-application/codemirror-bundle.jsmatched "fromCharCode"3
lowObfuscationpackage/source/Pict-Application-ContentEditor.jsmatched "\\u00B7"3
lowObfuscationpackage/web-application/js/pict.min.jsmatched "fromCharCode"3

Manifest

Package metadata

Scripts19
  • brandnode node_modules/pict-section-theme/bin/pict-section-theme-brand.js --manifest ../../../Retold-Modules-Manifest.json --module retold-content-system --favicons web-application/favicons
  • buildnpx quack build && npx quack copy
  • build-allnpm run build-codemirror && npm run build-codejar && npm run build
  • build-codejarnode build/build-codejar-bundle.js
  • build-codemirrornode build/build-codemirror-bundle.js
  • postpublishnpx quack release postpublish
  • postversionnpx quack release postversion
  • prebuildnpm run brand
  • prepacknpm run build-all
  • prepublishOnlynpm test
  • publish:dockernpx quack release publish --image
  • release:majornpx quack release major
  • release:major:imagenpx quack release major --image
  • release:minornpx quack release minor
  • release:minor:imagenpx quack release minor --image
  • release:patchnpx quack release patch
  • release:patch:imagenpx quack release patch --image
  • startnode source/cli/ContentSystem-CLI-Run.js serve
  • testecho "Error: no test specified" && exit 0
Dependencies19
  • fable^3.1.75
  • orator^6.1.2
  • orator-serviceserver-restify^2.0.11
  • pict^1.0.370
  • pict-application^1.0.34
  • pict-provider^1.0.13
  • pict-provider-theme^1.0.1
  • pict-provider-vocabulary^1.0.1
  • pict-section-code^1.0.11
  • pict-section-content^1.0.3
  • pict-section-filebrowser^1.0.4
  • pict-section-inlinedocumentation^1.0.1
  • pict-section-login^1.0.0
  • pict-section-markdowneditor^1.0.15
  • pict-section-modal^1.1.1
  • pict-section-theme^1.0.5
  • pict-service-commandlineutility^1.0.19
  • pict-view^1.0.68
  • ultravisor-beacon^1.0.1