Package evidence
@accounter/client@0.0.12-alpha-20260524132930-1d69a956c7492d0aee5a9cd31a5b3db8076e94b0
Credential file access, Large Javascript Payload, Obfuscation
Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Publisher
- GitHub ActionsTrusted automation · −70% score
Effective trust discount applied: −70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Block this updateStatic evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["@accounter/client@0.0.12-alpha-20260524132930-1d69a956c7492d0aee5a9cd31a5b3db8076e94b0"],"fail_on":"high"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["@accounter/client@0.0.12-alpha-20260524132930-1d69a956c7492d0aee5a9cd31a5b3db8076e94b0"],"fail_on":"high"}'Why flagged
What the scanner saw
Credential file access
2 candidate cluster(s) currently reference this release.
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk high · score 55 · status changed
Related candidates
Linked campaigns and clusters
Publisher burst: GitHub Actions
2494 members · evidence strength 84Credential file access
547 members · evidence strength 90Publisher burst: GitHub Actions
2494 members · max score 369Credential file access
547 members · max score 225Evidence
Static findings
7 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | Credential file access | package/dist/assets/modify-contract-dialog-DhSJaQN9.js | — | 30 |
| medium | Large Javascript Payload | package/dist/assets/index-PkMhthL0.js | — | 10 |
Show all 7 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | Credential file access | package/dist/assets/modify-contract-dialog-DhSJaQN9.js | — | 30 |
| medium | Large Javascript Payload | package/dist/assets/index-PkMhthL0.js | — | 10 |
| low | Obfuscation | package/dist/assets/download-csv-DrUbVjfI.js | — | 3 |
| low | Obfuscation | package/dist/assets/index.es-CIofUqy3.js | — | 3 |
| low | Obfuscation | package/dist/assets/purify.es-CSqu8WDI.js | — | 3 |
| low | Obfuscation | package/src/helpers/strings-manipulations.ts | — | 3 |
| low | Obfuscation | package/src/lib/utils.ts | — | 3 |
Manifest
Package metadata
Scripts 6
Sign in to view install / lifecycle script contents.
Dependencies53
@atlaskit/pragmatic-drag-and-drop1.8.1@atlaskit/pragmatic-drag-and-drop-hitbox1.1.0@auth0/auth0-react2.16.2@emotion/react11.14.0@emotion/styled11.14.1@hookform/resolvers5.2.2@mantine/carousel6.0.22@mantine/core6.0.22@mantine/dates6.0.22@mantine/dropzone6.0.22@mantine/hooks6.0.22@minoru/react-dnd-treeview3.5.3@mui/material9.0.1@mui/x-charts8.28.2@tanstack/react-query5.100.10@tanstack/react-table8.21.3@urql/exchange-auth3.0.0chart.js4.5.1class-variance-authority0.7.1clsx2.1.1cmdk1.1.1csv-parse6.2.1date-fns4.2.1dayjs1.11.20decimal.js10.6.0deep-equal2.2.3dotenv17.4.2embla-carousel-react8.6.0fast-myers-diff3.2.0graphql16.14.0- …and 23 more.