PkgRadar

Package evidence

@chorus-aidlc/[email protected]

Credential File Packaged: package/.next/standalone/.env

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
501
Versions published
17
First published
Apr 2026
Publisher
felix-chan

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@chorus-aidlc/[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@chorus-aidlc/[email protected]"],"fail_on":"high"}'
Publisherfelix-chan
Artifact bytes30,938,751
Previous version0.8.2
Published2026-05-25T12:30:42.684Z
SHA-256b51e6c9bfeef7a5125191d8c532a40d201704e44eea3b77311ab118d45263f9e

Why flagged

What the scanner saw

Credential File Packaged: package/.next/standalone/.env

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

high
Last checked
highRisk
52Score
0.9.0Version
Status history (2 events)
  1. availableavailable · risk high · score 52 · status available -> available, risk high -> high, score 207 -> 52
  2. newavailable · risk high · score 207 · status changed

Related candidates

Linked campaigns and clusters

Publisher / release actor burststale

felix-chan

3 members · evidence strength 77

Evidence

Static findings

3 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
highCredential File Packagedpackage/.next/standalone/.envpackage/.next/standalone/.env35
mediumRemote Payloadpackage/.next/standalone/public/chorus-plugin/bin/chorus-api.shmatched "curl "12
Show all 3 findings (low-signal and informational)
SeverityKindPathDetailPoints
highCredential File Packagedpackage/.next/standalone/.envpackage/.next/standalone/.env35
mediumRemote Payloadpackage/.next/standalone/public/chorus-plugin/bin/chorus-api.shmatched "curl "12
lowCredential file accesspackage/.next/standalone/.next/static/chunks/55973.c413a5ed34ef941e.jsmatched ".ssh/"5

Manifest

Package metadata

Scripts31
  • buildprisma generate && next build
  • build:localDATABASE_URL='postgresql://x@localhost/x?sslmode=disable' prisma generate && DATABASE_URL='postgresql://x@localhost/x?sslmode=disable' next build
  • cdk:buildpnpm --filter @chorus/cdk run build
  • cdk:deploypnpm -C packages/chorus-cdk exec cdk deploy
  • cdk:destroypnpm --filter @chorus/cdk run destroy
  • cdk:diffpnpm --filter @chorus/cdk run diff
  • cdk:synthpnpm --filter @chorus/cdk run synth
  • db:generateprisma generate
  • db:migrateprisma migrate deploy
  • db:migrate:devprisma migrate dev
  • db:pushprisma db push
  • db:studioprisma studio
  • devnext dev --turbopack --port 8637
  • dev:localbash scripts/dev-local.sh
  • dev:webpacknext dev
  • docker:builddocker compose build
  • docker:dbdocker compose up -d db redis
  • docker:downdocker compose --profile full down
  • docker:logsdocker compose logs -f app
  • docker:updocker compose --profile full up -d
  • landing:buildpnpm --filter chorus-landing run build
  • landing:devpnpm --filter chorus-landing run dev
  • landing:previewpnpm --filter chorus-landing run preview
  • linteslint
  • prepackpnpm build && node scripts/prepack-pglite.mjs
  • rebuild:localrm -rf .next && pnpm build:local
  • startnext start
  • start:localbash scripts/start-local.sh
  • testvitest run
  • test:coveragevitest run --coverage
  • …and 1 more.
Dependencies57
  • @electric-sql/pglite^0.4.4
  • @electric-sql/pglite-socket^0.1.4
  • @floating-ui/dom^1.7.5
  • @hello-pangea/dnd^18.0.1
  • @modelcontextprotocol/sdk^1.26.0
  • @prisma/adapter-pg^7.0.0
  • @prisma/client^7.0.0
  • @radix-ui/react-alert-dialog^1.1.15
  • @radix-ui/react-dialog^1.1.15
  • @radix-ui/react-label^2.1.8
  • @radix-ui/react-popover^1.1.15
  • @radix-ui/react-progress^1.1.8
  • @radix-ui/react-radio-group^1.3.8
  • @radix-ui/react-select^2.2.6
  • @radix-ui/react-slot^1.2.4
  • @radix-ui/react-switch^1.2.6
  • @radix-ui/react-tabs^1.1.13
  • @streamdown/code^1.1.0
  • @streamdown/mermaid^1.0.2
  • @tiptap/extension-mention^3.20.0
  • @tiptap/pm^3.20.0
  • @tiptap/react^3.20.0
  • @tiptap/starter-kit^3.20.0
  • @tiptap/suggestion^3.20.0
  • @xyflow/react^12.10.0
  • bcryptjs^2.4.3
  • class-variance-authority^0.7.1
  • clsx^2.1.1
  • cmdk^1.1.1
  • dagre^0.8.5
  • …and 27 more.