npm · registry.npmjs.org
mcp-coordinator
Credential file access: matched "GITHUB_TOKEN"
Why PkgRadar flagged 0.12.0
| Severity | Signal | Evidence |
|---|---|---|
| high | Credential file access | matched "GITHUB_TOKEN" · package/dist/cli/server/start.js |
| medium | Remote Payload | matched "cUrl " · package/dist/src/auth.js |
| medium | Remote Payload | matched "cUrl " · package/dist/src/boot.js |
| medium | Remote Payload | matched "cUrl\n " · package/dist/src/auth/device-flow.js |
| medium | Remote Payload | matched "cUrl " · package/dist/src/discovery.js |
| medium | Remote Payload | matched "cUrl " · package/dist/cli/doctor.js |
| medium | Remote Payload | matched "cUrl " · package/dist/cli/init.js |
| medium | Remote Payload | matched "cUrl " · package/dist/src/auth/oauth-login.js |
| medium | Remote Payload | matched "cUrl " · package/dist/src/auth/refresh-rotation.js |
Scanned versions
| Version | Verdict | Score | Scanned (UTC) |
|---|---|---|---|
0.12.0 | Review | 92 | 2026-05-24 |
0.13.0 | Review | 92 | 2026-05-24 |
Related campaigns
- swoofer — 4 releases, max score 107
Block this in CI
pkgradar gate --ecosystem npm [email protected]