npm · registry.npmjs.org
@liflig/load-secrets
Credential file access: matched "GITHUB_TOKEN"
Why PkgRadar flagged 1.1.159
| Severity | Signal | Evidence |
|---|---|---|
| high | Credential file access | matched "GITHUB_TOKEN" · package/.github/workflows/ci.yaml |
| high | Install Lifecycle Remote Or Exec | prepare="bun run build && husky" · package.json |
Scanned versions
| Version | Verdict | Score | Scanned (UTC) |
|---|---|---|---|
1.1.173 | Low risk | 0 | 2026-06-13 |
1.1.172 | Low risk | 0 | 2026-06-12 |
1.1.171 | Low risk | 0 | 2026-06-09 |
1.1.170 | Low risk | 0 | 2026-06-09 |
1.1.169 | Low risk | 0 | 2026-06-07 |
1.1.167 | Low risk | 0 | 2026-06-06 |
1.1.168 | Low risk | 0 | 2026-06-06 |
1.1.166 | Low risk | 0 | 2026-06-04 |
1.1.165 | Low risk | 0 | 2026-06-02 |
1.1.164 | Low risk | 0 | 2026-06-01 |
1.1.163 | Low risk | 0 | 2026-06-01 |
1.1.162 | Low risk | 0 | 2026-05-29 |
1.1.161 | Low risk | 0 | 2026-05-26 |
1.1.160 | Low risk | 0 | 2026-05-25 |
1.1.159 | Review | 60 | 2026-05-25 |
1.1.157 | Review | 60 | 2026-05-24 |
1.1.158 | Review | 60 | 2026-05-24 |
Related campaigns
- install_lifecycle_remote_or_exec:prepare="bun run build && husky" — 3 releases, max score 64
Block this in CI
pkgradar gate --ecosystem npm @liflig/[email protected]