Package evidence

@ductape/[email protected]

Credential file access: matched ".AWS"

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@ductape/[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@ductape/[email protected]"],"fail_on":"high"}'

Publisherfeekayo

Artifact bytes1,337,187

Previous version0.1.10

Published2026-05-24T09:18:37.317Z

SHA-256b4305663faccf3d211d8e4696e1da595bbac18a9fd184095f86d86951ccefc61

Why flagged

What the scanner saw

Credential file access: matched ".AWS"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

high

20d agoLast checked

highRisk

324Score

0.1.11Version

Status history (1 event)

new → available20d ago · risk high · score 324 · status changed

Related candidates

Linked campaigns and clusters

Publisher / release actor burststale

feekayo

3 members · evidence strength 77

Evidence

Static findings

15 static · 0 from release diff · showing high-signal first.

Severity	Kind	Path	Detail	Points
high	Credential file access	package/dist/brokers/utils/broker.util.js	matched ".AWS"	30
high	Credential file access	package/dist/brokers/brokers.service.js	matched ".AWS"	30
high	Credential file access	package/dist/products/validators/joi-validators/create.productStorage.validator.js	matched ".AWS"	30
high	Credential file access	package/dist/products/utils/functions.utils.js	matched ".AWS"	30
high	Credential file access	package/dist/processor/services/processor.service.js	matched ".AWS"	30
high	Credential file access	package/dist/products/services/products.service.js	matched ".AWS"	30
high	Credential file access	package/dist/storage/storage.service.js	matched ".AWS"	30
high	Credential file access	package/dist/processor/utils/storage.util.js	matched ".AWS"	30
high	Credential file access	package/dist/storage/utils/storage.util.js	matched ".AWS"	30
high	Credential file access	package/package.json	matched ".aws"	30
medium	Remote Payload	package/dist/brokers/brokers.service.js	matched "cUrl "	12

Show all 15 findings (low-signal and informational)

Severity	Kind	Path	Detail	Points
high	Credential file access	package/dist/brokers/utils/broker.util.js	matched ".AWS"	30
high	Credential file access	package/dist/brokers/brokers.service.js	matched ".AWS"	30
high	Credential file access	package/dist/products/validators/joi-validators/create.productStorage.validator.js	matched ".AWS"	30
high	Credential file access	package/dist/products/utils/functions.utils.js	matched ".AWS"	30
high	Credential file access	package/dist/processor/services/processor.service.js	matched ".AWS"	30
high	Credential file access	package/dist/products/services/products.service.js	matched ".AWS"	30
high	Credential file access	package/dist/storage/storage.service.js	matched ".AWS"	30
high	Credential file access	package/dist/processor/utils/storage.util.js	matched ".AWS"	30
high	Credential file access	package/dist/storage/utils/storage.util.js	matched ".AWS"	30
high	Credential file access	package/package.json	matched ".aws"	30
medium	Remote Payload	package/dist/brokers/brokers.service.js	matched "cUrl "	12
low	Obfuscation	package/dist/database/presave/presave-processor.js	matched "\\u0300"	3
low	Obfuscation	package/dist/storage/storage.service.js	matched "Buffer.from(rawPayload, 'base64"	3
low	Obfuscation	package/dist/processor/utils/storage.util.js	matched "Buffer.from(data, \"base64"	3
low	Obfuscation	package/dist/storage/utils/storage.util.js	matched "Buffer.from(data, 'base64"	3

Manifest

Package metadata

Scripts57

buildtsc
docstypedoc --out docs src
parity:fixturests-node tools/parity-fixtures-gen.ts
populate:consumersts-node src/test/populate.consumers.ts
populate:db:mongots-node src/test/populate.db.mongo.ts
populate:db:mysqlts-node src/test/populate.db.mysql.ts
populate:db:postgrests-node src/test/populate.db.postgres.ts
populate:graph:neo4jts-node src/test/populate.graph.neo4j.ts
populate:graph:neo4j2ts-node src/test/populate.graph.neo4j2.ts
populate:messagingts-node src/test/populate.messaging.ts
populate:sessionts-node src/test/populate.session.ts
populate:storage:awsts-node src/test/populate.storage.aws.ts
populate:storage:azurets-node src/test/populate.storage.azure.ts
populate:storage:gcpts-node src/test/populate.storage.gcp.ts
populate:vector:pineconets-node src/test/populate.vector.pinecone.ts
populate:vector:qdrantts-node src/test/populate.vector.qdrant.ts
populate:vector:weaviatets-node src/test/populate.vector.weaviate.ts
populate:vector:weaviate2ts-node src/test/populate.vector.weaviate2.ts
populate:workflowsts-node src/test/populate.workflows.ts
prepublishOnlynpm run build
servenodemon --exec ts-node ./src/index.ts
sharonts-node src/test/sharon.ts
testjest
test:appnodemon --exec ts-node src/test/test.app.ts
test:broker-messagesnodemon --exec ts-node src/test/test.broker-messages.ts
test:cachesnodemon --exec ts-node src/test/test.caches.ts
test:coveragejest --coverage
test:db:dynamonodemon --exec ts-node src/test/test.database.dynamo.ts
test:db:mongonodemon --exec ts-node src/test/test.database.mongo.ts
test:db:mysqlnodemon --exec ts-node src/test/test.database.mysql.ts
…and 27 more.

Dependencies33

@aws-sdk/client-sqs^3.750.0
@azure/storage-blob^12.26.0
@google-cloud/pubsub^4.10.0
@types/redis^4.0.11
amqplib^0.10.5
aws-sdk^2.1692.0
axios^1.5.0
bson-objectid^2.0.4
bullmq^5.58.0
crypto-js^4.2.0
date-fns^4.1.0
dt-sql-parser^4.0.2
firebase-admin^13.0.1
form-data^4.0.1
google-auth-library^9.15.1
gtoken^7.1.0
handlebars^4.7.8
ioredis^5.7.0
joi^17.7.0
js-yaml^4.1.0
jsonwebtoken^9.0.2
jwa^2.0.1
jws^4.0.0
kafkajs^2.2.4
lodash^4.17.21
mongodb^6.14.2
nats^2.29.3
nodemailer^6.10.0
pg^8.13.3
redis^4.7.0
…and 3 more.

Optional dependencies3

arangojs^10.1.2
gremlin^3.8.0
neo4j-driver^6.0.1