Package evidence

@coder/[email protected]

Credential file access: matched ".ssh"

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@coder/[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@coder/[email protected]"],"fail_on":"high"}'

Publisherkylecarbs

Artifact bytes47,754,704

Previous versionnone

Published2026-05-24T20:00:36.934Z

SHA-2562a8d46b5b7849778f2ac4f9df426434cb145b58017a33155f1fe14304508a218

Why flagged

What the scanner saw

Credential file access: matched ".ssh"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

high

10d agoLast checked

highRisk

2728Score

26.513.20950Version

Status history (1 event)

new → available10d ago · risk high · score 2728 · status changed

Evidence

Static findings

204 static · 0 from release diff · showing high-signal first.

Showing 30 of 94 findings.

Severity	Kind	Path	Detail	Points
high	Credential file access	package/scratch/asar/webview/assets/am-BZW2E1OZ.js	matched ".ssh"	30
high	Credential file access	package/scratch/asar/webview/assets/app-main-Dsg36Y4q.js	matched ".ssh"	30
high	Credential file access	package/scratch/asar/webview/assets/ar-BBFSzsrA.js	matched ".ssh"	30
high	Credential file access	package/scratch/asar/webview/assets/bg-BG-Bx27VwLC.js	matched ".ssh"	30
high	Credential file access	package/scratch/asar/webview/assets/bn-BD-Bemqc_e9.js	matched ".ssh"	30
high	Credential file access	package/scratch/asar/webview/assets/bs-BA-B_764pQ1.js	matched ".ssh"	30
high	Credential file access	package/scratch/asar/webview/assets/ca-ES-fSSV7oSw.js	matched ".ssh"	30
high	Credential file access	package/scratch/asar/webview/assets/cs-CZ-Ww7blGnf.js	matched ".ssh"	30
high	Credential file access	package/scratch/asar/webview/assets/da-DK-e3KtrDrB.js	matched ".ssh"	30
high	Credential file access	package/scratch/asar/webview/assets/de-DE-BolUFQhy.js	matched ".ssh"	30
high	Credential file access	package/scratch/asar/webview/assets/debug-modal-CKcdboWI.js	matched ".ssh"	30
high	Credential file access	package/scratch/asar/webview/assets/el-GR-Db4ne67s.js	matched ".ssh"	30
high	Credential file access	package/scratch/asar/webview/assets/es-419-C1gqn_Qb.js	matched ".ssh"	30
high	Credential file access	package/scratch/asar/webview/assets/es-ES-I6iEFFBQ.js	matched ".ssh"	30
high	Credential file access	package/scratch/asar/webview/assets/et-EE-BEgIIda2.js	matched ".ssh"	30
high	Credential file access	package/scratch/asar/webview/assets/fa-BS7Td0pR.js	matched ".ssh"	30
high	Credential file access	package/scratch/asar/webview/assets/fi-FI-Cz0MyUle.js	matched ".ssh"	30
high	Credential file access	package/scratch/asar/webview/assets/fr-CA-ANsV76No.js	matched ".ssh"	30
high	Credential file access	package/scratch/asar/webview/assets/fr-FR-B7sp6pAD.js	matched ".ssh"	30
high	Credential file access	package/scratch/asar/webview/assets/gu-IN-DFaUpWEM.js	matched ".ssh"	30
high	Credential file access	package/scratch/asar/webview/assets/hi-IN-C94IPEN9.js	matched ".ssh"	30
high	Credential file access	package/scratch/asar/webview/assets/hr-HR-DAAgq5RR.js	matched ".ssh"	30
high	Credential file access	package/scratch/asar/webview/assets/hu-HU-C6EhGj8_.js	matched ".ssh"	30
high	Credential file access	package/scratch/asar/webview/assets/hy-AM-B1YE18r1.js	matched ".ssh"	30
high	Credential file access	package/scratch/asar/webview/assets/id-ID-Cez6aisA.js	matched ".ssh"	30
high	Credential file access	package/scratch/asar/webview/assets/is-IS-fKlG-Fyq.js	matched ".ssh"	30
high	Credential file access	package/scratch/asar/webview/assets/it-IT-BrHNeivB.js	matched ".ssh"	30
high	Credential file access	package/scratch/asar/webview/assets/ja-JP-DEEpToEQ.js	matched ".ssh"	30
high	Credential file access	package/scratch/asar/webview/assets/ka-GE-Bfpnw-Rc.js	matched ".ssh"	30
high	Credential file access	package/scratch/asar/webview/assets/kk-D4Yg-6Ge.js	matched ".ssh"	30

Show all 204 findings (low-signal and informational)

Showing 60 of 204 findings.

Severity	Kind	Path	Detail	Points
high	Credential file access	package/scratch/asar/webview/assets/am-BZW2E1OZ.js	matched ".ssh"	30
high	Credential file access	package/scratch/asar/webview/assets/app-main-Dsg36Y4q.js	matched ".ssh"	30
high	Credential file access	package/scratch/asar/webview/assets/ar-BBFSzsrA.js	matched ".ssh"	30
high	Credential file access	package/scratch/asar/webview/assets/bg-BG-Bx27VwLC.js	matched ".ssh"	30
high	Credential file access	package/scratch/asar/webview/assets/bn-BD-Bemqc_e9.js	matched ".ssh"	30
high	Credential file access	package/scratch/asar/webview/assets/bs-BA-B_764pQ1.js	matched ".ssh"	30
high	Credential file access	package/scratch/asar/webview/assets/ca-ES-fSSV7oSw.js	matched ".ssh"	30
high	Credential file access	package/scratch/asar/webview/assets/cs-CZ-Ww7blGnf.js	matched ".ssh"	30
high	Credential file access	package/scratch/asar/webview/assets/da-DK-e3KtrDrB.js	matched ".ssh"	30
high	Credential file access	package/scratch/asar/webview/assets/de-DE-BolUFQhy.js	matched ".ssh"	30
high	Credential file access	package/scratch/asar/webview/assets/debug-modal-CKcdboWI.js	matched ".ssh"	30
high	Credential file access	package/scratch/asar/webview/assets/el-GR-Db4ne67s.js	matched ".ssh"	30
high	Credential file access	package/scratch/asar/webview/assets/es-419-C1gqn_Qb.js	matched ".ssh"	30
high	Credential file access	package/scratch/asar/webview/assets/es-ES-I6iEFFBQ.js	matched ".ssh"	30
high	Credential file access	package/scratch/asar/webview/assets/et-EE-BEgIIda2.js	matched ".ssh"	30
high	Credential file access	package/scratch/asar/webview/assets/fa-BS7Td0pR.js	matched ".ssh"	30
high	Credential file access	package/scratch/asar/webview/assets/fi-FI-Cz0MyUle.js	matched ".ssh"	30
high	Credential file access	package/scratch/asar/webview/assets/fr-CA-ANsV76No.js	matched ".ssh"	30
high	Credential file access	package/scratch/asar/webview/assets/fr-FR-B7sp6pAD.js	matched ".ssh"	30
high	Credential file access	package/scratch/asar/webview/assets/gu-IN-DFaUpWEM.js	matched ".ssh"	30
high	Credential file access	package/scratch/asar/webview/assets/hi-IN-C94IPEN9.js	matched ".ssh"	30
high	Credential file access	package/scratch/asar/webview/assets/hr-HR-DAAgq5RR.js	matched ".ssh"	30
high	Credential file access	package/scratch/asar/webview/assets/hu-HU-C6EhGj8_.js	matched ".ssh"	30
high	Credential file access	package/scratch/asar/webview/assets/hy-AM-B1YE18r1.js	matched ".ssh"	30
high	Credential file access	package/scratch/asar/webview/assets/id-ID-Cez6aisA.js	matched ".ssh"	30
high	Credential file access	package/scratch/asar/webview/assets/is-IS-fKlG-Fyq.js	matched ".ssh"	30
high	Credential file access	package/scratch/asar/webview/assets/it-IT-BrHNeivB.js	matched ".ssh"	30
high	Credential file access	package/scratch/asar/webview/assets/ja-JP-DEEpToEQ.js	matched ".ssh"	30
high	Credential file access	package/scratch/asar/webview/assets/ka-GE-Bfpnw-Rc.js	matched ".ssh"	30
high	Credential file access	package/scratch/asar/webview/assets/kk-D4Yg-6Ge.js	matched ".ssh"	30
high	Credential file access	package/scratch/asar/webview/assets/kn-IN-C3x94TPo.js	matched ".ssh"	30
high	Credential file access	package/scratch/asar/webview/assets/ko-KR-DmsZbSK4.js	matched ".ssh"	30
high	Credential file access	package/scratch/asar/webview/assets/lt-McRfLJMe.js	matched ".ssh"	30
high	Credential file access	package/scratch/asar/webview/assets/lv-LV-Dinis2o-.js	matched ".ssh"	30
high	Credential file access	package/scratch/asar/.vite/build/main-kSlb32Yb.js	matched ".ssh"	30
high	Credential file access	package/scratch/asar/webview/assets/markdown-C3q7GuCV.js	matched ".npmrc"	30
high	Credential file access	package/scratch/asar/webview/assets/mk-MK-BP3u0u2Q.js	matched ".ssh"	30
high	Credential file access	package/scratch/asar/webview/assets/ml-D5K8VkXz.js	matched ".ssh"	30
high	Credential file access	package/scratch/asar/webview/assets/mn-D-QMKNd9.js	matched ".ssh"	30
high	Credential file access	package/scratch/asar/webview/assets/mr-IN-CQu57ax_.js	matched ".ssh"	30
high	Credential file access	package/scratch/asar/webview/assets/ms-MY-B3iAv6Zs.js	matched ".ssh"	30
high	Credential file access	package/scratch/asar/webview/assets/my-MM-ISSC65wE.js	matched ".ssh"	30
high	Credential file access	package/scratch/asar/webview/assets/nb-NO-LParFxQw.js	matched ".ssh"	30
high	Credential file access	package/scratch/asar/webview/assets/nl-NL-nVJ1qO5f.js	matched ".ssh"	30
high	Credential file access	package/scratch/asar/webview/assets/pa-C2sgNj7r.js	matched ".ssh"	30
high	Credential file access	package/scratch/asar/webview/assets/pl-PL-DWcDyknb.js	matched ".ssh"	30
high	Credential file access	package/scratch/asar/webview/assets/pt-BR-D7mzfy65.js	matched ".ssh"	30
high	Credential file access	package/scratch/asar/webview/assets/pt-PT-DoR-KLMz.js	matched ".ssh"	30
high	Credential file access	package/scratch/asar/webview/assets/remote-connections-settings-DoZlhYZR.js	matched ".ssh"	30
high	Credential file access	package/scratch/asar/webview/assets/ro-RO-CDzGxCck.js	matched ".ssh"	30
high	Credential file access	package/scratch/asar/webview/assets/ru-RU-BY5N6fWO.js	matched ".ssh"	30
high	Credential file access	package/scratch/asar/webview/assets/sk-SK-Dx2nhi0C.js	matched ".ssh"	30
high	Credential file access	package/scratch/asar/webview/assets/sl-SI-BnyKj8Bm.js	matched ".ssh"	30
high	Credential file access	package/scratch/asar/webview/assets/so-SO-BMVE7nDV.js	matched ".ssh"	30
high	Credential file access	package/scratch/asar/webview/assets/sq-AL-JFIRvjaj.js	matched ".ssh"	30
high	Credential file access	package/scratch/asar/webview/assets/sr-RS-8ZSQhnyh.js	matched ".ssh"	30
high	Credential file access	package/scratch/asar/webview/assets/src-CdfxiY-T.js	matched ".ssh"	30
high	Credential file access	package/scratch/asar/webview/assets/ssh-config--wNktd4t.js	matched ".ssh"	30
high	Credential file access	package/scratch/asar/webview/assets/sv-SE-DvGUQJO4.js	matched ".ssh"	30
high	Credential file access	package/scratch/asar/webview/assets/sw-TZ-BWPhWA4V.js	matched ".ssh"	30

Manifest

Package metadata

Scripts25

buildnode -e "require('node:fs').rmSync('out',{force:true,recursive:true})" && cross-env PNPM_YES=true pnpm run forge:make
build:cinode -e "require('node:fs').rmSync('out',{force:true,recursive:true})" && cross-env PNPM_YES=true pnpm run forge:package
build:owlcross-env PNPM_YES=true node ./scripts/owl-shell.mjs package
compilepnpm exec tsgo -b
devpnpm exec node ./scripts/prepare-dev.mjs --native-modules && cross-env NODE_ENV=development electron-forge start
devtools:resetnode -e "const fs=require('node:fs');const os=require('node:os');const path=require('node:path');for(const target of ['extensions/fmkadmapgofadopljbjfkapdkoienihi','Service Worker','Code Cache'])fs.rmSync(path.join(os.homedir(),'Library','Application Support','Codex',target),{force:true,recursive:true})"
e2e:computer-use-native-pipenode ./scripts/computer-use-native-pipe-e2e.mjs
forge:makepnpm run rebuild:native-modules && pnpm run rebuild:forge-natives && electron-forge make
forge:make:owl-shellpnpm run rebuild:forge-natives && electron-forge make
forge:packagepnpm run rebuild:native-modules && pnpm run rebuild:forge-natives && electron-forge package
forge:publishpnpm run rebuild:native-modules && pnpm run rebuild:forge-natives && electron-forge publish
formatoxfmt --check
format:fixoxfmt --write
lintpnpm exec oxlint --threads=1 --tsconfig ./tsconfig.json --max-warnings 0 --type-aware --type-check
lint:fixpnpm exec oxlint --threads=1 --tsconfig ./tsconfig.json --max-warnings 0 --type-aware --type-check --fix
metadata-pathpnpm exec tsx ./scripts/dev-metadata.ts path
owlpnpm exec node ./scripts/prepare-dev.mjs && cross-env NODE_ENV=development node ./scripts/owl-shell.mjs run
owl:ensurenode ./scripts/owl-shell.mjs ensure
owl:packagecross-env PNPM_YES=true node ./scripts/owl-shell.mjs package
playwright:agent:replpnpm run rebuild:native-modules && node --import tsx ./scripts/playwright-electron-agent-cdp.mjs
rebuild:forge-nativesnode ./scripts/rebuild-forge-natives.mjs
rebuild:native-modulesnode ./scripts/rebuild-native-modules.mjs
testpnpm run rebuild:native-modules && node ./scripts/ensure-electron-binary.mjs && vitest run
test:quietpnpm run rebuild:native-modules && node ./scripts/ensure-electron-binary.mjs && vitest run --silent --reporter=dot
tscpnpm exec tsgo --noEmit

Dependencies27

@sentry/electron^7.5.0
@sentry/node10.29.0
app-server-typesworkspace:*
better-sqlite3^12.9.0
browser-apifile:../../../lib/browser_use/browser-api
browser-backend-commonlink:../../../lib/browser_use/browser-backend-common
browser-commonlink:../../../lib/browser_use/browser-common
bufferutil^4.0.1
commandsworkspace:*
electron-context-menu^4.1.1
external-agent-migrationworkspace:*
lodash^4.17.21
mdast-util-from-markdown^2.0.3
mdast-util-to-string^4.0.0
mime-types^2.1.35
node-pty^1.1.0
objc-js1.5.0
protocolworkspace:*
shared-nodeworkspace:*
shlex^3.0.0
smol-toml^1.5.2
ssh-config^5.0.3
tslib^2.8.1
utf-8-validate^6.0.0
which^4.0.0
ws^8.18.3
zod^4.1.13