npm · registry.npmjs.org

@earendil-works/gondolin

DNS / OAST exfiltration: matched "dns.lookup"

Why PkgRadar flagged 0.11.0

Severity	Signal	Evidence
high	DNS / OAST exfiltration	matched "dns.lookup" · package/dist/src/qemu/http.js
high	DNS / OAST exfiltration	matched "dns.lookup" · package/dist/src/http/utils.js
medium	Credential file access	matched ".ssh" · package/dist/src/ssh/utils.js

Scanned versions

Version	Verdict	Score	Scanned (UTC)
`0.11.0`	Review	21	2026-05-28
`0.12.0`	Review	21	2026-05-28

Block this in CI

PkgRadar gates @earendil-works/gondolin (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem npm @earendil-works/[email protected]