Recommended action
Block this updateStatic evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["@cafeai/[email protected]"],"fail_on":"high"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["@cafeai/[email protected]"],"fail_on":"high"}'Why flagged
What the scanner saw
Credential file access: matched ".SSH"
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk high · score 343 · status changed
Related candidates
Linked campaigns and clusters
cafeai
3 members · evidence strength 74Evidence
Static findings
60 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | Credential file access | package/dist/apps/desktop/dist-electron/main.cjs | matched ".SSH" | 30 |
| high | Credential file access | package/dist/apps/server/dist/client/assets/ssh-config-BgfXC-Er.js | matched ".ssh" | 30 |
| high | Credential file access | package/dist/client/assets/ssh-config-BgfXC-Er.js | matched ".ssh" | 30 |
| medium | Obfuscation Density | package/dist/apps/server/dist/client/assets/blade-DghGRsw7.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/client/assets/blade-DghGRsw7.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/apps/server/dist/client/assets/julia-CgTICk1r.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/client/assets/julia-CgTICk1r.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/apps/server/dist/client/assets/php-CSWOrrL9.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/client/assets/php-CSWOrrL9.js | high encoded/escaped-token density | 12 |
| medium | Large Javascript Payload | package/dist/apps/server/dist/client/assets/index-DfRZijch.js | 3081486 bytes | 10 |
| medium | Large Javascript Payload | package/dist/client/assets/index-DfRZijch.js | 3081486 bytes | 10 |
| medium | Large Javascript Payload | package/dist/apps/server/dist/bin.mjs | 3211013 bytes | 10 |
| medium | Large Javascript Payload | package/dist/bin.mjs | 3211013 bytes | 10 |
Show all 60 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | Credential file access | package/dist/apps/desktop/dist-electron/main.cjs | matched ".SSH" | 30 |
| high | Credential file access | package/dist/apps/server/dist/client/assets/ssh-config-BgfXC-Er.js | matched ".ssh" | 30 |
| high | Credential file access | package/dist/client/assets/ssh-config-BgfXC-Er.js | matched ".ssh" | 30 |
| medium | Obfuscation Density | package/dist/apps/server/dist/client/assets/blade-DghGRsw7.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/client/assets/blade-DghGRsw7.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/apps/server/dist/client/assets/julia-CgTICk1r.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/client/assets/julia-CgTICk1r.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/apps/server/dist/client/assets/php-CSWOrrL9.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/client/assets/php-CSWOrrL9.js | high encoded/escaped-token density | 12 |
| medium | Large Javascript Payload | package/dist/apps/server/dist/client/assets/index-DfRZijch.js | 3081486 bytes | 10 |
| medium | Large Javascript Payload | package/dist/client/assets/index-DfRZijch.js | 3081486 bytes | 10 |
| medium | Large Javascript Payload | package/dist/apps/server/dist/bin.mjs | 3211013 bytes | 10 |
| medium | Large Javascript Payload | package/dist/bin.mjs | 3211013 bytes | 10 |
| low | Obfuscation | package/dist/apps/desktop/dist-electron/main.cjs | matched "\\u0000" | 3 |
| low | Obfuscation | package/dist/apps/server/dist/client/assets/ara-4CJ0cIlV.js | matched "\\x7F" | 3 |
| low | Obfuscation | package/dist/client/assets/ara-4CJ0cIlV.js | matched "\\x7F" | 3 |
| low | Obfuscation | package/dist/apps/server/dist/client/assets/blade-DghGRsw7.js | matched "\\x7F" | 3 |
| low | Obfuscation | package/dist/client/assets/blade-DghGRsw7.js | matched "\\x7F" | 3 |
| low | Obfuscation | package/dist/apps/server/dist/client/assets/coffee-CHLtrQWa.js | matched "fromCharCode" | 3 |
| low | Obfuscation | package/dist/client/assets/coffee-CHLtrQWa.js | matched "fromCharCode" | 3 |
| low | Obfuscation | package/dist/apps/server/dist/client/assets/coq-BrsZFFmf.js | matched "\\xA0" | 3 |
| low | Obfuscation | package/dist/client/assets/coq-BrsZFFmf.js | matched "\\xA0" | 3 |
| low | Obfuscation | package/dist/apps/server/dist/client/assets/crystal-DXg7X_Lh.js | matched "\\x08" | 3 |
| low | Obfuscation | package/dist/client/assets/crystal-DXg7X_Lh.js | matched "\\x08" | 3 |
| low | Obfuscation | package/dist/apps/server/dist/client/assets/css-BZ-gObEB.js | matched "\\uFEFF" | 3 |
| low | Obfuscation | package/dist/client/assets/css-BZ-gObEB.js | matched "\\uFEFF" | 3 |
| low | Obfuscation | package/dist/apps/server/dist/client/assets/glimmer-js-DDsppZu9.js | matched "\\x08" | 3 |
| low | Obfuscation | package/dist/client/assets/glimmer-js-DDsppZu9.js | matched "\\x08" | 3 |
| low | Obfuscation | package/dist/apps/server/dist/client/assets/glimmer-ts-DHNuc4Ln.js | matched "\\x08" | 3 |
| low | Obfuscation | package/dist/client/assets/glimmer-ts-DHNuc4Ln.js | matched "\\x08" | 3 |
| low | Obfuscation | package/dist/apps/server/dist/client/assets/hack-BpQ7U6aW.js | matched "\\x7F" | 3 |
| low | Obfuscation | package/dist/client/assets/hack-BpQ7U6aW.js | matched "\\x7F" | 3 |
| low | Obfuscation | package/dist/apps/server/dist/client/assets/html-RGiYyJ8D.js | matched "\\x00" | 3 |
| low | Obfuscation | package/dist/client/assets/html-RGiYyJ8D.js | matched "\\x00" | 3 |
| low | Obfuscation | package/dist/apps/server/dist/client/assets/julia-CgTICk1r.js | matched "\\x01" | 3 |
| low | Obfuscation | package/dist/client/assets/julia-CgTICk1r.js | matched "\\x01" | 3 |
| low | Obfuscation | package/dist/apps/server/dist/client/assets/less-DVTAwKKz.js | matched "\\x00" | 3 |
| low | Obfuscation | package/dist/client/assets/less-DVTAwKKz.js | matched "\\x00" | 3 |
| low | Obfuscation | package/dist/apps/server/dist/client/assets/php-CSWOrrL9.js | matched "\\x7F" | 3 |
| low | Obfuscation | package/dist/client/assets/php-CSWOrrL9.js | matched "\\x7F" | 3 |
| low | Obfuscation | package/dist/apps/server/dist/client/assets/puppet-CDv2pdJW.js | matched "\\x7F" | 3 |
| low | Obfuscation | package/dist/client/assets/puppet-CDv2pdJW.js | matched "\\x7F" | 3 |
| low | Obfuscation | package/dist/apps/server/dist/client/assets/ruby-B89KL51U.js | matched "\\x00" | 3 |
| low | Obfuscation | package/dist/client/assets/ruby-B89KL51U.js | matched "\\x00" | 3 |
| low | Obfuscation | package/dist/apps/server/dist/client/assets/scss-BHaI81cK.js | matched "\\x00" | 3 |
| low | Obfuscation | package/dist/client/assets/scss-BHaI81cK.js | matched "\\x00" | 3 |
| low | Obfuscation | package/dist/apps/server/dist/client/assets/stata-DgnXA-Gr.js | matched "\\x00" | 3 |
| low | Obfuscation | package/dist/client/assets/stata-DgnXA-Gr.js | matched "\\x00" | 3 |
| low | Obfuscation | package/dist/apps/server/dist/client/assets/stylus-B6D30XZt.js | matched "\\x00" | 3 |
| low | Obfuscation | package/dist/client/assets/stylus-B6D30XZt.js | matched "\\x00" | 3 |
| low | Obfuscation | package/dist/apps/server/dist/client/assets/twig-nG7g0qt2.js | matched "\\x7F" | 3 |
| low | Obfuscation | package/dist/client/assets/twig-nG7g0qt2.js | matched "\\x7F" | 3 |
| low | Obfuscation | package/dist/apps/server/dist/client/assets/typst-DI99ib-x.js | matched "\\x00" | 3 |
| low | Obfuscation | package/dist/client/assets/typst-DI99ib-x.js | matched "\\x00" | 3 |
| low | Obfuscation | package/dist/apps/server/dist/client/assets/vue-BE53-YC_.js | matched "\\x00" | 3 |
| low | Obfuscation | package/dist/client/assets/vue-BE53-YC_.js | matched "\\x00" | 3 |
| low | Obfuscation | package/dist/apps/server/dist/client/assets/wasm-BnjxR4X6.js | matched "atob(" | 3 |
| low | Obfuscation | package/dist/client/assets/wasm-BnjxR4X6.js | matched "atob(" | 3 |
| low | Obfuscation | package/dist/apps/server/dist/client/assets/worker-B_h_pwVO.js | matched "\\uD800" | 3 |
| low | Obfuscation | package/dist/client/assets/worker-B_h_pwVO.js | matched "\\uD800" | 3 |
Manifest
Package metadata
Dependencies12
@anthropic-ai/claude-agent-sdk^0.3.148@anthropic-ai/sdk^0.98.0@effect/platform-bun4.0.0-beta.59@effect/platform-node4.0.0-beta.59@effect/platform-node-shared4.0.0-beta.59@effect/sql-sqlite-bun4.0.0-beta.59@opencode-ai/sdk^1.3.15@pierre/diffs1.1.20effect4.0.0-beta.59electron42.2.0electron-updater^6.6.2node-pty^1.1.0