npm · registry.npmjs.org
dev-env-bootstrapper
Credential file access: matched ".ssh"
Why PkgRadar flagged 1.5.2
| Severity | Signal | Evidence |
|---|---|---|
| high | Credential file access | matched ".ssh" · package/lib/scanner-core.js |
| high | Credential file access | matched "github_token" · package/lib/trap-core.js |
| high | DNS / OAST exfiltration | matched "dns.lookup" · package/lib/trap-core.js |
| high | Install-time lifecycle script | postinstall="node lib/setup.js" · package.json |
| high | Install Lifecycle Remote Or Exec | postinstall="node lib/setup.js" · package.json |
| medium | Remote Payload | matched "webhook.site" · package/lib/scanner-core.js |
| medium | Remote Payload | matched "raw.githubusercontent.com" · package/lib/trap-core.js |
Scanned versions
| Version | Verdict | Score | Scanned (UTC) |
|---|---|---|---|
0.0.1-security | Low risk | 0 | 2026-05-24 |
1.5.2 | High risk | 149 | 2026-05-24 |
1.4.0 | High risk | 149 | 2026-05-24 |
1.5.0 | High risk | 149 | 2026-05-24 |
Related campaigns
- asdxzxc — 30 releases, max score 149
- credential_paths:matched "github_token" — 50 releases, max score 230
- credential_paths:matched ".ssh" — 42 releases, max score 230
Block this in CI
pkgradar gate --ecosystem npm [email protected]