PkgRadar

Package evidence

[email protected]

Js Hidden Powershell: Hidden / non-interactive PowerShell invocation in package code — `-WindowStyle Hidden`, `irm | iex`, `windowsHide: true`, or equivalent — used to download-and-run payloads on Windows installers.

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
1,078Niche · −30% score
Versions published
89Mature · −50% score
First published
Apr 2025
Publisher
GitHub ActionsTrusted automation · −70% score

Effective trust discount applied: 70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"review"}'
PublisherGitHub Actions
Artifact bytes7,915,665
Previous version0.5.40
Published2026-06-17T05:44:12.595Z
SHA-256245673bf1037a0f246f7e631be5ac11a3316cabfca6d1dc87ec8c6f9248889b6

Why flagged

What the scanner saw

Js Hidden Powershell: Hidden / non-interactive PowerShell invocation in package code — `-WindowStyle Hidden`, `irm | iex`, `windowsHide: true`, or equivalent — used to download-and-run payloads on Windows installers.

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
18Score
0.5.41Version
Status history (1 event)
  1. newavailable · risk review · score 18 · status changed

Evidence

Static findings

5 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
highJs Hidden Powershellpackage/dist/public/assets/dialogs-config-B-LZ4nOb.jsHidden / non-interactive PowerShell invocation in package code — `-WindowStyle Hidden`, `irm | iex`, `windowsHide: true`, or equivalent — used to download-and-run payloads on Windows installers.45
highJs Hidden Powershellpackage/dist/index.jsHidden / non-interactive PowerShell invocation in package code — `-WindowStyle Hidden`, `irm | iex`, `windowsHide: true`, or equivalent — used to download-and-run payloads on Windows installers.45
mediumRemote Payloadpackage/dist/index.jsmatched "raw.githubusercontent.com"12
Show all 5 findings (low-signal and informational)
SeverityKindPathDetailPoints
highJs Hidden Powershellpackage/dist/public/assets/dialogs-config-B-LZ4nOb.jsHidden / non-interactive PowerShell invocation in package code — `-WindowStyle Hidden`, `irm | iex`, `windowsHide: true`, or equivalent — used to download-and-run payloads on Windows installers.45
highJs Hidden Powershellpackage/dist/index.jsHidden / non-interactive PowerShell invocation in package code — `-WindowStyle Hidden`, `irm | iex`, `windowsHide: true`, or equivalent — used to download-and-run payloads on Windows installers.45
mediumRemote Payloadpackage/dist/index.jsmatched "raw.githubusercontent.com"12
lowLarge Javascript Payloadpackage/dist/public/assets/monaco-CZnIWXyV.js4147218 bytes0
lowLarge Javascript Payloadpackage/dist/public/assets/ts.worker-B0J26iPs.js6895040 bytes0

Manifest

Package metadata

Scripts17
  • api-serve-462bun run build:server && MODE=development bun dist/index.js --debug
  • buildbun run build:app-assets && bun run build:server && electrobun build --targets macos-arm64
  • build:app-assetscd ../app && bun run build
  • build:npmbun run build:app-assets && bun run build:server
  • build:serverrm -rf dist && bun scripts/bundle.ts && cp src/scaffold-templates.json dist/ && cp recommended-models.txt dist/
  • devbun run sync-models && bun run build:app-assets && electrobun dev
  • dev:watchbun run build:app-assets && electrobun dev --watch
  • electrobun:buildbunx electrobun build --env=dev
  • electrobun:devbunx electrobun dev
  • electrobun:dev:signedbunx electrobun dev
  • electrobun:runbunx electrobun run
  • lintbunx tsgo --noEmit
  • startbun run dev
  • sync-modelscd ../ai-data && bun run sync-models
  • testenv -u TARSK_DEBUG vp test run
  • webMODE=development bun run build:server && bun dist/index.js
  • websitecd ../site && bunx serve . -l 8080
Dependencies12
  • @earendil-works/pi-agent-core0.79.6
  • @earendil-works/pi-ai0.79.6
  • @hono/node-server1.19.13
  • @libsql/client0.17.2
  • @modelcontextprotocol/sdk1.29.0
  • @sinclair/typebox0.34.49
  • diff8.0.4
  • glob^13.0.1
  • hono4.12.25
  • ignore^7.0.5
  • open^11.0.0
  • ripgrep0.3.1