PkgRadar

npm · registry.npmjs.org

codexus

Credential file access: matched "aws_secret_access_key"

Why PkgRadar flagged 0.1.0-alpha.1

SeveritySignalEvidence
highNew Lifecycle Script Vs Previouspostinstall added in 0.1.0-alpha.1 vs 0.1.0-alpha.0: "node scripts/postinstall.mjs" · package.json

Scanned versions

VersionVerdictScoreScanned (UTC)
0.2.4Review32026-06-16
0.2.3Review32026-06-16
0.1.0-alpha.1High risk502026-06-13
0.2.2Review32026-06-12
0.2.1Review32026-06-11
0.2.0Review32026-06-08
0.1.15Review32026-06-08
0.1.14Review32026-06-07
0.1.12Review32026-06-07
0.1.13Review32026-06-07
0.1.11Review32026-06-05
0.1.10Review32026-06-05
0.1.9Review32026-06-05
0.1.8Review32026-06-04
0.1.7Review32026-06-03
0.1.6Review32026-06-03
0.1.5Review32026-06-03
0.1.4Review32026-06-03
0.1.2Review32026-06-02
0.1.3Review32026-06-02
0.1.1Review32026-06-01
0.1.0Review32026-06-01
0.1.0-alpha.7Review32026-06-01
0.1.0-alpha.6Review32026-06-01
0.1.0-alpha.5Review102026-05-31
0.1.0-alpha.4Review102026-05-31
0.1.0-alpha.3Review102026-05-30
0.1.0-alpha.2Review102026-05-30
0.1.0-alpha.0Review52026-05-29

Campaign attribution

Part of the asteroiddao npm campaign campaign.

Block this in CI

PkgRadar gates codexus (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem npm [email protected]
Start free — 25 scans / moView full evidence