Package evidence
[email protected]
Suspicious Publish Context: {"package_age_days":0,"publisher":"deepthought26","burst_same_day":2,"burst_week":2,"lure":null,"version_anomaly":false,"new_account":false}
Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Versions published
- 3
- First published
- Jun 2026
- Publisher
- deepthought26
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Suspicious Publish Context: {"package_age_days":0,"publisher":"deepthought26","burst_same_day":2,"burst_week":2,"lure":null,"version_anomaly":false,"new_account":false}
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 10 · status changed
Evidence
Static findings
1 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Suspicious Publish Context | manifest | {"package_age_days":0,"publisher":"deepthought26","burst_same_day":2,"burst_week":2,"lure":null,"version_anomaly":false,"new_account":false} | 10 |
Manifest
Package metadata
Scripts21
buildnpm run build:types && npm run build:jsbuild:jsbabel src --out-dir lib --extensions ".js,.ts" --source-maps inlinebuild:typestsc --project tsconfig.build.json --emitDeclarationOnlycleannode -e "try{require('fs').rmSync('lib',{recursive:true,force:true})}catch(e){}"coveragenpm run type-check && npm run lint -- --quiet && npm run mocha:coveragefixnpm run fix:lintfix:lintnpm run lint -- --fixlinteslint "src/**"lint:strictnpm run lint -- --max-warnings 0mochacross-env TS_NODE_FILES=true NODE_OPTIONS=--no-experimental-strip-types mocha -r ts-node/register "src/**/*.test.ts" --timeout 10000mocha:buildmocha lib/**/*.test.js --timeout 10000mocha:coveragenyc npm run mocha && nyc report --reporter=lcovpostpublishgit push && git push --tagspostversionnpm publishpreparenpm run clean && npm run build && husky installprepublishOnlynpm run test:commit && npm run test:build && npm run lint:stricttestnpm run type-check && npm run lint -- --quiet && npm run mochatest:buildnpm run mocha:buildtest:commitnode -e "const{execSync}=require('child_process');const s=execSync('git status --untracked-files=no --porcelain',{encoding:'utf8'});if(s.trim()){console.error('Uncommitted changes found. Please commit them first.');process.exit(1)}console.log('All files committed.')"type-checktsc --noEmittype-check:watchnpm run type-check -- --watch