PkgRadar

Package evidence

@certd/[email protected]

Known Indicator Filename: package/dist/bundle.js

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@certd/[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@certd/[email protected]"],"fail_on":"high"}'
Publishergreper
Artifact bytes155,253
Previous version1.40.2
Published2026-05-21T15:19:53.197Z
SHA-25648734bd90ab06f19468badb61180306dce37de8dba9bcab6e9b3e2aecd123b25

Why flagged

What the scanner saw

Known Indicator Filename: package/dist/bundle.js

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

high
Last checked
highRisk
102Score
1.40.3Version
Status history (1 event)
  1. newavailable · risk high · score 102 · status changed

Evidence

Static findings

5 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
highKnown Indicator Filenamepackage/dist/bundle.jspackage/dist/bundle.js45
highCredential file accesspackage/dist/bundle.jsmatched ".aws"30
mediumRemote Payloadpackage/dist/bundle.jsmatched "cURL "12
mediumObfuscation Densitypackage/dist/bundle.jshigh encoded/escaped-token density12
Show all 5 findings (low-signal and informational)
SeverityKindPathDetailPoints
highKnown Indicator Filenamepackage/dist/bundle.jspackage/dist/bundle.js45
highCredential file accesspackage/dist/bundle.jsmatched ".aws"30
mediumRemote Payloadpackage/dist/bundle.jsmatched "cURL "12
mediumObfuscation Densitypackage/dist/bundle.jshigh encoded/escaped-token density12
lowObfuscationpackage/dist/bundle.jsmatched "\\u0000"3

Manifest

Package metadata

Scripts5
  • before-buildnode -e "const fs=require('fs');fs.rmSync('dist',{recursive:true,force:true});fs.rmSync('tsconfig.tsbuildinfo',{force:true});fs.rmSync('.rollup.cache',{recursive:true,force:true});"
  • buildnpm run before-build && rollup -c
  • dev-buildnpm run build
  • pubnpm publish
  • test:unitcross-env NODE_ENV=unittest echo no unit tests
Dependencies9
  • buffer^5.0.8
  • create-hash^1.1.3
  • create-hmac^1.1.6
  • debug^3.1.0
  • node-fetch^2.1.2
  • querystring^0.2.0
  • rollup^3.7.4
  • url^0.11.0
  • uuid^3.1.0