PkgRadar

Package evidence

@enbox/[email protected]

Credential file access: matched ".aws"

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@enbox/[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@enbox/[email protected]"],"fail_on":"high"}'
Publisheritsliran
Artifact bytes243,459
Previous version0.1.4
Published2026-05-25T03:27:07.617Z
SHA-256551e0b1e782292487082646e649ed28a81e61f8ed33d323c6d9d8bdbbea1765e

Why flagged

What the scanner saw

Credential file access: matched ".aws"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

high
Last checked
highRisk
66Score
0.1.5Version
Status history (1 event)
  1. newavailable · risk high · score 66 · status changed

Related candidates

Linked campaigns and clusters

Publisher / release actor burststale

itsliran

4 members · evidence strength 73

Evidence

Static findings

4 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
highCredential file accesspackage/dist/esm/src/config.jsmatched ".aws"30
highCredential file accesspackage/src/config.tsmatched ".aws"30
Show all 4 findings (low-signal and informational)
SeverityKindPathDetailPoints
highCredential file accesspackage/dist/esm/src/config.jsmatched ".aws"30
highCredential file accesspackage/src/config.tsmatched ".aws"30
lowObfuscationpackage/dist/esm/src/admin/admin-api.jsmatched "Buffer.from(storedCredential.publicKey, 'base64"3
lowObfuscationpackage/src/admin/admin-api.tsmatched "Buffer.from(storedCredential.publicKey, 'base64"3

Manifest

Package metadata

Scripts8
  • buildbun run clean && bun run build:esm
  • build:esmbun run clean && tsc
  • cleanrm -rf dist && rm -rf generated/*
  • linteslint . --max-warnings 0
  • lint:fixeslint . --fix
  • serverbun run build:esm && bun dist/esm/src/main.js
  • test:nodebun test .test.ts
  • test:node:coveragebun test --coverage --coverage-reporter=text --coverage-reporter=lcov --coverage-dir=coverage .test.ts
Dependencies20
  • @enbox/common0.1.1
  • @enbox/crypto0.1.1
  • @enbox/dids0.1.1
  • @enbox/dwn-clients0.4.1
  • @enbox/dwn-sdk-js0.3.6
  • @enbox/dwn-sql-store0.0.21
  • @nats-io/jetstream3.3.1
  • @nats-io/transport-node3.3.1
  • @simplewebauthn/server13.2.3
  • bytes3.1.2
  • jose6.1.3
  • kysely0.28.14
  • loglevel1.8.1
  • loglevel-plugin-prefix0.8.4
  • mysql23.9.8
  • pg8.11.2
  • pg-cursor2.10.2
  • prom-client14.2.0
  • uuid9.0.0
  • ws8.18.0
Optional dependencies1
  • @enbox/dwn-server-admin-ui0.1.0