PkgRadar

Package evidence

@davidwells/[email protected]

Credential file access: matched "GITHUB_TOKEN"

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@davidwells/[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@davidwells/[email protected]"],"fail_on":"high"}'
Publisherdavidwells
Artifact bytes69,986
Previous version0.4.4
Published2026-05-24T22:01:44.512Z
SHA-256b75482370ea34e12819cb157868b10589a13d2e87f292928549ccaff1e926eb6

Why flagged

What the scanner saw

Credential file access: matched "GITHUB_TOKEN"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

high
Last checked
highRisk
55Score
0.5.1Version
Status history (1 event)
  1. newavailable · risk high · score 55 · status changed

Related candidates

Linked campaigns and clusters

Publisher / release actor burststale

davidwells

5 members · evidence strength 83

Evidence

Static findings

9 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
highCredential file accesspackage/.github/workflows/claude.ymlmatched "GITHUB_TOKEN"30
Show all 9 findings (low-signal and informational)
SeverityKindPathDetailPoints
highCredential file accesspackage/.github/workflows/claude.ymlmatched "GITHUB_TOKEN"30
lowInstall-time lifecycle scriptpackage.jsonprepare="npm run build"4
lowObfuscationpackage/dist/platform/b64.jsmatched "Buffer.from(b64Encoded, \"base64"3
lowObfuscationpackage/dist/srp/franken-srp/compute-key.jsmatched "\\u0001"3
lowObfuscationpackage/dist/util/converters.jsmatched "fromCharCode"3
lowObfuscationpackage/src/platform/b64.tsmatched "Buffer.from(b64Encoded, \"base64"3
lowObfuscationpackage/src/srp/franken-srp/compute-key.tsmatched "\\u0001"3
lowObfuscationpackage/src/util/converters.tsmatched "fromCharCode"3
lowObfuscationpackage/.github/workflows/claude.ymlmatched "fromCharCode"3

Manifest

Package metadata

Scripts13
  • buildnpm run clean && tsc --build --force
  • cdkdeploycd src/test/cdk && cdk deploy --outputs-file cfn_out.json
  • cdkdestroycd src/test/cdk && cdk destroy
  • cdktestjest src/test/cdk
  • cleanrm -rf tsconfig.tsbuildinfo dist
  • createTestUserscd src/test && ts-node createTestUsers > test_users_out.json
  • preparenpm run build
  • publishgit push origin && git push origin --tags
  • release:majornpm version major && npm publish
  • release:minornpm version minor && npm publish
  • release:patchnpm version patch && npm publish
  • testjest
  • watchtsc --build --force --watch