PkgRadar

Package evidence

@blundergoat/[email protected]

Shell Credential File Read, Remote Payload, Credential file access

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
521
Versions published
37
First published
Mar 2026
Publisher
blundergoat

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@blundergoat/[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@blundergoat/[email protected]"],"fail_on":"high"}'
Publisherblundergoat
Artifact bytes1,125,109
Previous version1.13.0
Published2026-07-05T05:55:38.284Z
SHA-25671c36406ac2c0daf6e3ac75fcc1d2374cabc6b754b5c521e6c4afcc4016dafe5

Why flagged

What the scanner saw

Shell Credential File Read

2 candidate cluster(s) currently reference this release.

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

high
Last checked
highRisk
110Score
1.13.1Version
Status history (1 event)
  1. newavailable · risk high · score 110 · status changed

Related candidates

Linked campaigns and clusters

Repeated static TTPactive

Shell Credential File Read

25 members · evidence strength 90
Publisher / release actor burstactive

Publisher burst: blundergoat

7 members · evidence strength 84
Repeated static TTPcandidate

Shell Credential File Read

25 members · max score 194
Publisher / release actor burstcandidate

Publisher burst: blundergoat

7 members · max score 110

Evidence

Static findings

11 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
highShell Credential File Readmanifest45
mediumRemote Payloadmanifest12
mediumRemote Payloadmanifest12
mediumCredential file accessmanifest10
Show all 11 findings (low-signal and informational)
SeverityKindPathDetailPoints
highShell Credential File Readmanifest45
mediumRemote Payloadmanifest12
mediumRemote Payloadmanifest12
mediumCredential file accessmanifest10
lowCredential file accessmanifest5
lowCredential file accessmanifest5
lowCredential file accessmanifest5
lowCredential file accessmanifest5
lowCredential file accessmanifest5
lowCredential file accessmanifest3
lowCredential file accessmanifest3

Manifest

Package metadata

Dependencies2
  • js-yaml^4.1.0
  • ws^8.20.1
Optional dependencies1
  • node-pty1.1.0