Package evidence
[email protected]
Js Hidden Powershell: Hidden / non-interactive PowerShell invocation in package code — `-WindowStyle Hidden`, `irm | iex`, `windowsHide: true`, or equivalent — used to download-and-run payloads on Windows installers.
Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Versions published
- 113
- First published
- Mar 2026
- Publisher
- fjpulidop
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Js Hidden Powershell: Hidden / non-interactive PowerShell invocation in package code — `-WindowStyle Hidden`, `irm | iex`, `windowsHide: true`, or equivalent — used to download-and-run payloads on Windows installers.
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 50 · status changed
Evidence
Static findings
2 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | Js Hidden Powershell | package/server/dist/plugins/prereq-installer.js | Hidden / non-interactive PowerShell invocation in package code — `-WindowStyle Hidden`, `irm | iex`, `windowsHide: true`, or equivalent — used to download-and-run payloads on Windows installers. | 45 |
Show all 2 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | Js Hidden Powershell | package/server/dist/plugins/prereq-installer.js | Hidden / non-interactive PowerShell invocation in package code — `-WindowStyle Hidden`, `irm | iex`, `windowsHide: true`, or equivalent — used to download-and-run payloads on Windows installers. | 45 |
| low | Credential file access | package/server/dist/code-explorer-router.js | matched "id_rsa" | 5 |
Manifest
Package metadata
Scripts20
assemble-runtimesnode scripts/assemble-runtimes-local.mjsbuildnpm run build:server && cd client && npm run build && cd .. && npm run build:clibuild:clitsc --project tsconfig.cli.jsonbuild:desktopnpm run build:server && cd client && npm run build && cd .. && npm run build:sidecar && tauri buildbuild:desktop:localnpm run assemble-runtimes && npm run build:desktopbuild:servernode -e "require('fs').rmSync('server/dist',{recursive:true,force:true})" && tsc --project tsconfig.jsonbuild:sidecarnode scripts/build-sidecar.mjscheck-core-compattsx scripts/check-core-compat.tscinpm run typecheck && npm test && npm run test:coverage && cd client && npm run test:coveragedevconcurrently "npm run dev:server" "npm run dev:client"dev:clientcd client && npm run devdev:desktoptauri devdev:servertsx watch server/index.tsgenerate-iconstauri icon src-tauri/icons/icon.svgtestvitest run && tsx scripts/check-core-compat.tstest:allvitest run && cd client && npx vitest runtest:clientcd client && npx vitest runtest:coveragevitest run --coveragetest:watchvitesttypechecktsc --noEmit && cd client && tsc --noEmit
Dependencies14
@tailwindcss/typography^0.5.19ajv^8.17.1better-sqlite3^12.8.0chokidar^5.0.0cross-spawn^7.0.6diff^9.0.0express^5.2.1multer^2.1.1node-pty^1.0.0pdf-parse^2.4.5playwright^1.60.0read-excel-file^9.0.6tree-kill^1.2.2ws^8.16.0