PkgRadar

Package evidence

@aihubmix/[email protected]

Credential file access: matched ".aws"

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@aihubmix/[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@aihubmix/[email protected]"],"fail_on":"high"}'
Publisherchenxue
Artifact bytes1,106,831
Previous versionnone
Published2026-05-24T15:19:11.982Z
SHA-2566f552742f44815de5cce437eb6a5ae5080e6470ba4e9ee4435a868ea6179b8e3

Why flagged

What the scanner saw

Credential file access: matched ".aws"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

high
Last checked
highRisk
207Score
0.1.0Version
Status history (1 event)
  1. newavailable · risk high · score 207 · status changed

Evidence

Static findings

12 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
highCredential file accesspackage/upstream/anthropic/bedrock/metadata.jsonmatched ".aws"30
highCredential file accesspackage/upstream/openai/azure-preview/openapi.jsonmatched ".azure"30
highCredential file accesspackage/upstream/openai/azure/openapi.jsonmatched ".azure"30
highCredential file accesspackage/upstream/anthropic/bedrock/overlay.ymlmatched ".aws"30
mediumRemote Payloadpackage/scripts/build-manifest.jsmatched "raw.githubusercontent.com"12
mediumRemote Payloadpackage/manifest.jsonmatched "raw.githubusercontent.com"12
mediumRemote Payloadpackage/upstream/cohere/official/metadata.jsonmatched "raw.githubusercontent.com"12
mediumRemote Payloadpackage/upstream/openai/azure-preview/metadata.jsonmatched "raw.githubusercontent.com"12
mediumRemote Payloadpackage/upstream/openai/azure/metadata.jsonmatched "raw.githubusercontent.com"12
mediumRemote Payloadpackage/upstream/vertex/official/metadata.jsonmatched "raw.githubusercontent.com"12
mediumRemote Payloadpackage/upstream/cohere/official/openapi.ymlmatched "curl\n "12
Show all 12 findings (low-signal and informational)
SeverityKindPathDetailPoints
highCredential file accesspackage/upstream/anthropic/bedrock/metadata.jsonmatched ".aws"30
highCredential file accesspackage/upstream/openai/azure-preview/openapi.jsonmatched ".azure"30
highCredential file accesspackage/upstream/openai/azure/openapi.jsonmatched ".azure"30
highCredential file accesspackage/upstream/anthropic/bedrock/overlay.ymlmatched ".aws"30
mediumRemote Payloadpackage/scripts/build-manifest.jsmatched "raw.githubusercontent.com"12
mediumRemote Payloadpackage/manifest.jsonmatched "raw.githubusercontent.com"12
mediumRemote Payloadpackage/upstream/cohere/official/metadata.jsonmatched "raw.githubusercontent.com"12
mediumRemote Payloadpackage/upstream/openai/azure-preview/metadata.jsonmatched "raw.githubusercontent.com"12
mediumRemote Payloadpackage/upstream/openai/azure/metadata.jsonmatched "raw.githubusercontent.com"12
mediumRemote Payloadpackage/upstream/vertex/official/metadata.jsonmatched "raw.githubusercontent.com"12
mediumRemote Payloadpackage/upstream/cohere/official/openapi.ymlmatched "curl\n "12
lowObfuscationpackage/upstream/gemini/official/discovery.jsonmatched "\\u003e"3

Manifest

Package metadata

Scripts6
  • build-sitenode scripts/build-site.js
  • driftnode scripts/check-drift.js
  • manifestnode scripts/build-manifest.js
  • resolvenode scripts/overlay/apply.js
  • syncbash scripts/sync-all.sh
  • validatebash scripts/validate-all.sh
Dependencies1
  • js-yaml^4.1.0