pp-techmeme

SUSPICIOUS: the core read-only Techmeme purpose is coherent, but the trust story is weakened by external installer execution, mutable @latest installs, unclear publisher-to-package relationship, and arbitrary webhook export. No clear credential harvesting or covert behavior is present, so this is not confirmed malware, but it carries medium supply-chain and outbound-data risk.