PkgRadar

Package evidence

[email protected]

Obfuscation Density: high encoded/escaped-token density

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published
288Mature · −50% score
First published
Aug 2023
Publisher
vexare

Effective trust discount applied: 50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"review"}'
Publishervexare
Artifact bytes674,765
Previous version1.0.304
Published2026-05-27T22:26:27.489Z
SHA-256e96ceaf296f2522dcdebecdb0ca3d3ef9f81f54d5ec3c25b278afdfc40ee8fc4

Why flagged

What the scanner saw

Obfuscation Density: high encoded/escaped-token density

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
6Score
1.0.305Version
Status history (1 event)
  1. newavailable · risk review · score 6 · status changed

Evidence

Static findings

1 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
mediumObfuscation Densitypackage/release/esm/components/Icons/index.jshigh encoded/escaped-token density12

Manifest

Package metadata

Scripts15
  • autotsc -watch - tsconfig.json
  • buildyarn build:esm && yarn build:cjs && yarn copy && yarn copy2 && yarn copy3
  • build:cjstsc --module commonjs --outDir release/cjs
  • build:esmtsc
  • copycopyfiles -u 2 "./source/components/**/*.{css,scss}" "./release/cjs/components"
  • copy2copyfiles -u 2 "./assets/**/*.{scss,css}" "./release/assets/styles/"
  • copy3copyfiles -u 2 "./assets/**/*.{woff,woff2,ttf}" "./release/assets/fonts/"
  • productionwebpack --mode production
  • pubtsc && npm version patch --force && npm publish --access public
  • startwebpack-dev-server --mode development
  • testecho "Error: no test specified" && exit 1
  • tsctsc
  • tsc2tsc && tsc -m es6 --outDir release && webpack --mode development
  • tsc3tsc --emitDeclarationOnly
  • webpackwebpack --mode development
Dependencies12
  • axios^1.4.0
  • css-loader^6.8.1
  • html-webpack-plugin^5.5.3
  • module-alias^2.2.3
  • qs^6.14.0
  • sass^1.99.0
  • sass-loader^13.3.2
  • style-loader^3.3.3
  • ts-loader^9.4.4
  • typescript^5.1.6
  • webpack^5.88.2
  • webpack-cli^5.1.4