PkgRadar

Package evidence

[email protected]

Obfuscation Density: high encoded/escaped-token density

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"high"}'
Publisherxmorse
Artifact bytes2,680,184
Previous version4.1.7
Published2026-05-24T16:25:30.526Z
SHA-256c99e73d4047a1b4923d59dd39e5315d3f3fe4c9cb417e2dedb22d971437addee

Why flagged

What the scanner saw

Obfuscation Density: high encoded/escaped-token density

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

high
Last checked
highRisk
97Score
4.1.8Version
Status history (1 event)
  1. newavailable · risk high · score 97 · status changed

Related candidates

Linked campaigns and clusters

Publisher / release actor burststale

xmorse

2 members · evidence strength 64

Evidence

Static findings

12 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
mediumObfuscation Densitypackage/dist/framer-chunks/fontshare-4THNDPMZ-BJQGNHXN.jshigh encoded/escaped-token density12
mediumObfuscation Densitypackage/dist/framer-chunks/framer-font-45AI7UCZ-LU7DEIDM.jshigh encoded/escaped-token density12
mediumRemote Payloadpackage/dist/plugin-mcp-dist/lib/mcp.test.jsmatched "curl "12
mediumRemote Payloadpackage/src/plugin-mcp-dist/lib/mcp.test.jsmatched "curl "12
mediumRemote Payloadpackage/dist/plugin-mcp-dist/lib/schema.jsmatched "curl "12
mediumRemote Payloadpackage/src/plugin-mcp-dist/lib/schema.jsmatched "curl "12
mediumLarge Javascript Payloadpackage/dist/framer-chunks/google-3FCAKCAC-P5EL6KGL.js10195206 bytes10
Show all 12 findings (low-signal and informational)
SeverityKindPathDetailPoints
mediumObfuscation Densitypackage/dist/framer-chunks/fontshare-4THNDPMZ-BJQGNHXN.jshigh encoded/escaped-token density12
mediumObfuscation Densitypackage/dist/framer-chunks/framer-font-45AI7UCZ-LU7DEIDM.jshigh encoded/escaped-token density12
mediumRemote Payloadpackage/dist/plugin-mcp-dist/lib/mcp.test.jsmatched "curl "12
mediumRemote Payloadpackage/src/plugin-mcp-dist/lib/mcp.test.jsmatched "curl "12
mediumRemote Payloadpackage/dist/plugin-mcp-dist/lib/schema.jsmatched "curl "12
mediumRemote Payloadpackage/src/plugin-mcp-dist/lib/schema.jsmatched "curl "12
mediumLarge Javascript Payloadpackage/dist/framer-chunks/google-3FCAKCAC-P5EL6KGL.js10195206 bytes10
lowObfuscationpackage/dist/framer-chunks/fontshare-4THNDPMZ-BJQGNHXN.jsmatched "\\xA1"3
lowObfuscationpackage/dist/framer-chunks/framer-font-45AI7UCZ-LU7DEIDM.jsmatched "\\xC4"3
lowObfuscationpackage/dist/framer-chunks/sqlite-wasm-FGP37EAY-HR6PIAJQ.jsmatched "fromCharCode"3
lowObfuscationpackage/dist/utils.jsmatched "\\u2000"3
lowObfuscationpackage/src/utils.tsmatched "\\u2000"3

Manifest

Package metadata

Scripts5
  • buildpnpm tsgo && cp ../README.md ./README.md && cp ./src/framer.d.ts ./dist/framer.d.ts && cp ./src/framer.js ./dist/framer.js && cp -r ./src/framer-chunks ./dist/framer-chunks
  • download-framertsx scripts/download.ts
  • gen-clientexport DIR=./src/generated/ && cd ../../website && pnpm tsc; rm -rf $DIR && mkdir -p $DIR && cp ./dist/src/lib/api-client.* $DIR
  • testvitest
  • watchpnpm tsc -w
Dependencies24
  • @antfu/ni^25.0.0
  • @babel/core^7.28.6
  • @biomejs/js-api^0.7.1
  • @biomejs/wasm-nodejs^1.9.4
  • @goke/mcp^0.0.4
  • @inquirer/prompts^8.2.0
  • @modelcontextprotocol/sdk^1.25.3
  • async-sema^3.1.1
  • camelcase^9.0.0
  • diff^7.0.0
  • dom-serializer^2.0.0
  • esbuild^0.28.0
  • esbuild-plugins-node-modules-polyfill^1.6.8
  • framer-api^0.1.2
  • goke^6.8.0
  • htmlparser2^10.1.0
  • nanospinner^1.2.2
  • picocolors^1.1.1
  • real-framer-motionnpm:framer-motion@^12.34.2
  • sema4^0.1.3
  • spiceflow^1.17.10
  • string-dedent^3.0.1
  • undici^7.18.2
  • zod^4.3.6