
Research
/Security News
11 Malicious NuGet Tools Pose as Game Cheats to Drop a Windows Host-Surveillance Payload
11 malicious NuGet tools pose as game cheats to deploy Windows payloads, track hosts, and use Google Sheets for telemetry and control.
pi-multica-spine
Advanced tools
Pi extension that keeps Multica work agents bound to issue, PR, evidence, and handoff contracts.
A Pi extension that keeps Multica work agents bound to the issue → PR → evidence → handoff contract.
pi-multica-spine is for Pi agents doing implementation or PR-producing work inside Multica. It injects a short work-agent contract and exposes typed tools that make forgotten PR binding, verification evidence, and handoff gaps visible before an agent reports done.
It does not replace Multica controllers, Todo Runner, Review Sentinel, or PR creation flow. It is a narrow spine for work agents.
.multica-spine/ state store with opaque issue identifiers and ASCII-safe task filenames.Multica Issue: <issue-identifier> PR body line.multica_spine_verify — fails until issue binding, PR writeback, evidence, handoff, and git completion (clean worktree, no conflict markers, pushed commits, current PR head SHA) are complete.| Tool | Purpose |
|---|---|
multica_spine_bind | Bind the active opaque issue identifier. |
multica_spine_context | Inspect current issue, PR, evidence, handoff, and verification state. |
multica_spine_next | Return current state plus the next required action. |
multica_spine_link_pr | Record PR URL and metadata (prNumber, prHeadSha, prBranch, etc.). |
multica_spine_add_evidence | Record verification command/manual/test/lint/typecheck evidence. |
multica_spine_handoff | Record structured done/changed/verification/blockers/next handoff. |
multica_spine_verify | Completion check. Fails until issue, PR binding, writeback, evidence, handoff, and git completion blockers are resolved. |
Install the published npm package with Pi:
pi install npm:pi-multica-spine
Pin a specific version when you want reproducible installs:
pi install npm:pi-multica-spine@0.1.2
Install into the current project instead of your user Pi settings:
pi install npm:pi-multica-spine -l
Or install from GitHub:
pi install git:github.com/eiei114/pi-multica-spine
Try it without permanently installing:
pi -e npm:pi-multica-spine
Clone the repo and try the extension locally:
git clone https://github.com/eiei114/pi-multica-spine.git
cd pi-multica-spine
npm install
pi -e .
Then bind an issue and walk the spine:
multica_spine_bind with your opaque issue identifier.multica_spine_next to see the required next action.multica_spine_link_pr with PR URL, number, head SHA, branch, and writebackRecorded: true after the source issue is updated.multica_spine_add_evidence with verification results.multica_spine_handoff with a reviewer-ready summary.multica_spine_verify before reporting done.Recommended PR body line:
Multica Issue: <issue-identifier>
You are acting as a Multica Work Agent.
For Multica implementation or PR-producing work:
1. Bind the active issue identifier with multica_spine_bind.
2. Use multica_spine_next to see the required next action.
3. Ensure PRs reference the bound issue identifier.
4. Do not report done until multica_spine_verify passes.
State is repo-local:
.multica-spine/current.json
.multica-spine/tasks/<safe-issue-identifier>.json
Issue identifiers are stored canonically as opaque strings. Filenames are ASCII-safe slugs with a short hash suffix.
| Path | Purpose |
|---|---|
extensions/ | Pi TypeScript extension entrypoint (index.ts) |
lib/ | Spine state store, state machine, PR binding checker, git completion checker, and schemas |
docs/ | Release and maintainer docs (release.md) |
README.md | Public entrypoint (this file) |
LICENSE | MIT license |
CHANGELOG.md | Version history |
npm install
npm run ci
Individual checks:
npm run typecheck
npm test
npm run pack:check
This package uses npm Trusted Publishing with GitHub Actions OIDC — no NPM_TOKEN is required.
npm version patch
git push
On main, .github/workflows/auto-release.yml creates the v<version> tag and GitHub Release, then dispatches .github/workflows/publish.yml to publish to npm.
See docs/release.md for setup details.
Pi packages run with your local permissions. Review extensions before installing third-party packages.
For vulnerability reporting, see SECURITY.md.
MIT
FAQs
Pi extension that keeps Multica work agents bound to issue, PR, evidence, and handoff contracts.
We found that pi-multica-spine demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Research
/Security News
11 malicious NuGet tools pose as game cheats to deploy Windows payloads, track hosts, and use Google Sheets for telemetry and control.

Research
/Security News
4 compromised asyncapi packages deliver miasma botnet loader on macOS, Linux and Windows.

Research
/Security News
A compromised jscrambler npm release added a malicious preinstall hook that runs hidden native binaries on Linux, macOS, and Windows.