PkgRadar

Package evidence

[email protected]

Remote Payload: matched "curl "

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"high"}'
Publisherturtle.tech
Artifact bytes365,634
Previous version3.1.20
Published2026-05-24T21:26:59.254Z
SHA-256bc1c29359053846f94a33a14d47c7e184d2e38271ae1db3f242d4a9bc3cc6339

Why flagged

What the scanner saw

Remote Payload: matched "curl "

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

high
Last checked
highRisk
69Score
3.1.26Version
Status history (1 event)
  1. newavailable · risk high · score 69 · status changed

Related candidates

Linked campaigns and clusters

Publisher / release actor burststale

turtle.tech

7 members · evidence strength 84

Evidence

Static findings

14 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
mediumRemote Payloadpackage/dist/index-wt8rz4gn.jsmatched "curl "12
mediumObfuscation Densitypackage/dist/cli/index.jshigh encoded/escaped-token density12
mediumRemote Payloadpackage/bin/trellis.mjsmatched "curl "12
Show all 14 findings (low-signal and informational)
SeverityKindPathDetailPoints
mediumRemote Payloadpackage/dist/index-wt8rz4gn.jsmatched "curl "12
mediumObfuscation Densitypackage/dist/cli/index.jshigh encoded/escaped-token density12
mediumRemote Payloadpackage/bin/trellis.mjsmatched "curl "12
lowObfuscationpackage/dist/index-3qrxzwe4.jsmatched "\\u2026"3
lowObfuscationpackage/dist/index-53f3b8p8.jsmatched "fromCharCode"3
lowObfuscationpackage/dist/index-65z0xfjw.jsmatched "\\u2026"3
lowObfuscationpackage/dist/index-a2a394zz.jsmatched "\\u2014"3
lowObfuscationpackage/dist/index-h7zxhhhh.jsmatched "\\u2014"3
lowObfuscationpackage/dist/index-hr9qvv77.jsmatched "\\u2192"3
lowObfuscationpackage/dist/index-wt8rz4gn.jsmatched "fromCharCode"3
lowObfuscationpackage/dist/index-yp88he8n.jsmatched "\\x00"3
lowObfuscationpackage/dist/cli/index.jsmatched "\\x1b"3
lowObfuscationpackage/dist/cms/index.jsmatched "\\u2014"3
lowObfuscationpackage/dist/core/index.jsmatched "\\u2192"3

Manifest

Package metadata

Scripts9
  • buildbun build src/index.ts src/core/index.ts src/vcs/index.ts src/embeddings/index.ts src/links/index.ts src/decisions/index.ts src/server/index.ts src/client/index.ts src/react/index.ts src/db/index.ts src/cli/index.ts src/cms/index.ts src/core/persist/sqljs-backend.ts src/core/persist/factory.ts src/server/node-adapter.ts --outdir dist --target bun --splitting --format esm --root src --external @xenova/transformers --external @huggingface/transformers --external react --external sql.js --external ws && mkdir -p dist/ui && cp src/ui/client.html dist/ui/client.html && tsc -p tsconfig.build.json --emitDeclarationOnly --noEmit false --noEmitOnError false && bun run build:inspector
  • build:inspectorvite build --config vite.inspector.config.ts
  • clibun run src/cli/index.ts
  • devbun run src/index.ts
  • mcpbun run src/mcp/index.ts
  • mcp:docsbun run src/mcp/docs.ts
  • prepublishOnlynpm run test && npm run build
  • testbun test test/core test/cms test/vcs test/git test/p2 test/p3 test/p4 test/p5 test/p6 test/p7 test/engine.test.ts test/cli
  • test:allbun test
Dependencies7
  • @inquirer/prompts^8.2.2
  • @modelcontextprotocol/sdk^1.6.0
  • chalk^5.4.1
  • commander^13.1.0
  • opencode-ai^1.3.5
  • turtlecode^0.3.23
  • zod3
Optional dependencies4
  • @huggingface/transformers^3.0.0
  • @xenova/transformers^2.17.2
  • sql.js^1.14.1
  • ws^8.20.1