PkgRadar

Package evidence

@pugi/[email protected]

Shell Credential File Read, Js Hidden Powershell, Credential file access

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published
177
First published
May 2026
Publisher
pugi.dev

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@pugi/[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@pugi/[email protected]"],"fail_on":"high"}'
Publisherpugi.dev
Artifact bytes1,012,793
Previous version0.1.0-beta.49
Published2026-05-29T07:34:10.028Z
SHA-25652343b53ef030c30d51325cd8cf7a27c950061fdbf88f1655bd0a46cfb04ca25

Why flagged

What the scanner saw

Shell Credential File Read

2 candidate cluster(s) currently reference this release.

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

high
Last checked
highRisk
125Score
0.1.0-beta.50Version
Status history (2 events)
  1. availableavailable · risk high · score 125 · status available -> available, risk review -> high, score 56 -> 125
  2. newavailable · risk review · score 56 · status changed

Related candidates

Linked campaigns and clusters

Repeated static TTPactive

Shell Credential File Read

25 members · evidence strength 90
Publisher / release actor burstactive

Publisher burst: pugi.dev

52 members · evidence strength 84
Publisher / release actor burstcandidate

Publisher burst: pugi.dev

52 members · max score 125
Repeated static TTPcandidate

Shell Credential File Read

25 members · max score 194

Evidence

Static findings

9 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
highShell Credential File Readmanifest45
highJs Hidden Powershellmanifest45
Show all 9 findings (low-signal and informational)
SeverityKindPathDetailPoints
highShell Credential File Readmanifest45
highJs Hidden Powershellmanifest45
lowCredential file accessmanifest5
lowCredential file accessmanifest5
lowCredential file accessmanifest5
lowCredential file accessmanifest5
lowCredential file accessmanifest5
lowCredential file accessmanifest5
lowCredential file accessmanifest5

Manifest

Package metadata

Dependencies13
  • @mozilla/readability^0.6.0
  • @pugi/personas0.1.2
  • @pugi/sdk0.1.0-beta.50
  • chokidar^3.6.0
  • ignore^5.3.2
  • ink^5.0.1
  • linkedom^0.18.12
  • react^18.3.1
  • tar^7.5.11
  • tinyglobby^0.2.16
  • turndown^7.2.4
  • undici^8.3.0
  • zod^3.23.0