npm · registry.npmjs.org
dry-aged-deps
Ci Workflow Secret Harvesting: workflow references CI/cloud credential harvesting surfaces
Why PkgRadar flagged 2.10.1
| Severity | Signal | Evidence |
|---|---|---|
| high | Ci Workflow Secret Harvesting | workflow references CI/cloud credential harvesting surfaces · package/.github/workflows/auto-update.yml |
| high | Credential file access | matched "GITHUB_TOKEN" · package/.github/workflows/auto-update.yml |
| high | Credential file access | matched "GITHUB_TOKEN" · package/.github/workflows/ci-publish.yml |
| medium | Obfuscation Density | high encoded/escaped-token density · package/test/fixtures-up-to-date/package-lock.json |
| medium | Obfuscation Density | high encoded/escaped-token density · package/test/fixtures/package-lock.json |
| medium | Remote Payload | matched "curl " · package/.github/workflows/auto-update.yml |
Scanned versions
| Version | Verdict | Score | Scanned (UTC) |
|---|---|---|---|
2.14.0 | Low risk | 0 | 2026-06-04 |
2.13.0 | Low risk | 0 | 2026-06-04 |
2.12.0 | Low risk | 0 | 2026-06-03 |
2.11.1 | Low risk | 0 | 2026-06-02 |
2.11.0 | Low risk | 0 | 2026-06-02 |
2.10.3 | Low risk | 0 | 2026-05-30 |
2.10.2 | Low risk | 0 | 2026-05-30 |
2.10.1 | Review | 107 | 2026-05-24 |
2.9.0 | Review | 107 | 2026-05-24 |
2.10.0 | Review | 107 | 2026-05-24 |
Related campaigns
- ci_workflow_secret_harvesting:workflow references ci/cloud credential harvesting surfaces — 5 releases, max score 150
Block this in CI
pkgradar gate --ecosystem npm [email protected]