npm · registry.npmjs.org

kentutai

Credential File Packaged: package/app/.env

Why PkgRadar flagged 1.3.0

Severity	Signal	Evidence
high	Credential File Packaged	package/app/.env · package/app/.env
medium	Remote Payload	matched "github.com/FiloSottile/mkcert/releases/download" · package/app/node_modules/next/dist/lib/mkcert.js
medium	Remote Payload	matched "Curl " · package/app/cli/app/src/app/(dashboard)/dashboard/media-providers/[kind]/[id]/page.js
medium	Remote Payload	matched "Curl " · package/app/src/app/(dashboard)/dashboard/media-providers/[kind]/[id]/page.js
medium	Remote Payload	matched "curl " · package/app/.next/node_modules/better-sqlite3-90e2652d1716b047/deps/download.sh

Scanned versions

Version	Verdict	Score	Scanned (UTC)
`1.3.0`	High risk	98	2026-06-13
`1.1.0`	High risk	56	2026-06-10
`1.0.0`	High risk	68	2026-06-10
`1.0.1`	High risk	68	2026-06-10
`1.7.0`	High risk	62	2026-06-10
`1.7.15`	Review	22	2026-06-05
`1.7.11`	Review	15	2026-06-05
`1.7.5`	Review	22	2026-06-03
`1.7.6`	Review	15	2026-06-03
`1.7.4`	Review	22	2026-05-31
`1.7.3`	Review	22	2026-05-31
`1.7.2`	Review	22	2026-05-31
`1.7.1`	Review	22	2026-05-31
`1.5.0`	Low risk	0	2026-05-31

Block this in CI

PkgRadar gates kentutai (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem npm [email protected]