PkgRadar

Package evidence

@anyi61/[email protected]

Credential file access: matched "GITHUB_TOKEN"

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@anyi61/[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@anyi61/[email protected]"],"fail_on":"high"}'
Publisheranyi611
Artifact bytes473,445
Previous version0.1.7
Published2026-05-22T04:02:51.708Z
SHA-256734aa0ea23e267613de501e720a817c050de7e6e440fa7fa4f090b12e34b65b4

Why flagged

What the scanner saw

Credential file access: matched "GITHUB_TOKEN"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

high
Last checked
highRisk
222Score
0.1.9Version
Status history (1 event)
  1. newavailable · risk high · score 222 · status changed

Related candidates

Linked campaigns and clusters

Publisher / release actor burststale

anyi611

2 members · evidence strength 64

Evidence

Static findings

14 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
highCredential file accesspackage/dist/guard.jsmatched "GITHUB_TOKEN"30
highCredential file accesspackage/plugins/codex-claude-delegate/server/job-runner.jsmatched "GITHUB_TOKEN"30
highCredential file accesspackage/dist/schema.jsmatched "id_rsa"30
highCredential file accesspackage/dist/server.jsmatched ".ssh"30
highCredential file accesspackage/plugins/codex-claude-delegate/server/server.jsmatched "GITHUB_TOKEN"30
mediumRemote Payloadpackage/dist/claude-cli.jsmatched "curl "12
mediumRemote Payloadpackage/plugins/codex-claude-delegate/server/job-runner.jsmatched "curl "12
mediumObfuscation Densitypackage/plugins/codex-claude-delegate/server/job-runner.jshigh encoded/escaped-token density12
mediumRemote Payloadpackage/plugins/codex-claude-delegate/server/server.jsmatched "raw.githubusercontent.com"12
mediumObfuscation Densitypackage/plugins/codex-claude-delegate/server/server.jshigh encoded/escaped-token density12
Show all 14 findings (low-signal and informational)
SeverityKindPathDetailPoints
highCredential file accesspackage/dist/guard.jsmatched "GITHUB_TOKEN"30
highCredential file accesspackage/plugins/codex-claude-delegate/server/job-runner.jsmatched "GITHUB_TOKEN"30
highCredential file accesspackage/dist/schema.jsmatched "id_rsa"30
highCredential file accesspackage/dist/server.jsmatched ".ssh"30
highCredential file accesspackage/plugins/codex-claude-delegate/server/server.jsmatched "GITHUB_TOKEN"30
mediumRemote Payloadpackage/dist/claude-cli.jsmatched "curl "12
mediumRemote Payloadpackage/plugins/codex-claude-delegate/server/job-runner.jsmatched "curl "12
mediumObfuscation Densitypackage/plugins/codex-claude-delegate/server/job-runner.jshigh encoded/escaped-token density12
mediumRemote Payloadpackage/plugins/codex-claude-delegate/server/server.jsmatched "raw.githubusercontent.com"12
mediumObfuscation Densitypackage/plugins/codex-claude-delegate/server/server.jshigh encoded/escaped-token density12
lowObfuscationpackage/plugins/codex-claude-delegate/server/job-runner.jsmatched "atob("3
lowObfuscationpackage/dist/schema.jsmatched "\\u0000"3
lowObfuscationpackage/dist/server.jsmatched "\\u2014"3
lowObfuscationpackage/plugins/codex-claude-delegate/server/server.jsmatched "\\u2028"3

Manifest

Package metadata

Scripts15
  • audit:docsnode scripts/audit-docs.mjs
  • buildtsc
  • build:pluginesbuild src/server.ts src/job-runner.ts --bundle --platform=node --target=node22 --format=esm --packages=bundle --outdir=plugins/codex-claude-delegate/server --outbase=src
  • check:pluginnode scripts/check-plugin.mjs
  • devtsx src/cli.ts
  • prepublishOnlynpm run build && npm run typecheck && npm test && npm run build:plugin && npm run check:plugin
  • releasenpm version patch --no-git-tag-version && npm publish --access public
  • release:majornpm version major --no-git-tag-version && npm publish --access public
  • release:minornpm version minor --no-git-tag-version && npm publish --access public
  • startnode dist/cli.js
  • testvitest run
  • test:watchvitest
  • typechecktsc --noEmit
  • uninstallnpm run build && node scripts/uninstall-plugin.mjs
  • uninstall:dry-runnode scripts/uninstall-plugin.mjs --dry-run
Dependencies2
  • @modelcontextprotocol/sdk^1.0.0
  • zod^4.4.2