Package evidence

@florianpat/[email protected]

Known Indicator Filename: package/node_modules/@sigstore/bundle/dist/bundle.js

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Publisher: GitHub ActionsTrusted automation · −70% score

Effective trust discount applied: −70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@florianpat/[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@florianpat/[email protected]"],"fail_on":"high"}'

PublisherGitHub Actions

Artifact bytes12,501,874

Previous version3.26.3-1florianPat.15

Published2026-05-24T21:41:14.644Z

SHA-256709febbcf76cfdca6ab8f4e515ce722ce1418cb2286b9c719d21963c41d6a3d1

Why flagged

What the scanner saw

Known Indicator Filename: package/node_modules/@sigstore/bundle/dist/bundle.js

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

high

19d agoLast checked

highRisk

2547Score

3.26.5-1florianPat.0Version

Status history (1 event)

new → available19d ago · risk high · score 2547 · status changed

Related candidates

Linked campaigns and clusters

Repeated static TTPstale

Known Indicator Filename — package/node_modules/@sigstore/sign/dist/bundler/bundle.js

4 members · evidence strength 90

Repeated static TTPstale

Known Indicator Filename — package/node_modules/@sigstore/bundle/dist/bundle.js

4 members · evidence strength 90

Evidence

Static findings

377 static · 0 from release diff · showing high-signal first.

Showing 30 of 82 findings.

Severity	Kind	Path	Detail	Points
high	Known Indicator Filename	package/node_modules/@sigstore/bundle/dist/bundle.js	package/node_modules/@sigstore/bundle/dist/bundle.js	45
high	Known Indicator Filename	package/node_modules/@sigstore/sign/dist/bundler/bundle.js	package/node_modules/@sigstore/sign/dist/bundler/bundle.js	45
high	Credential file access	package/builders/_lando.js	matched ".ssh"	30
high	Credential file access	package/hooks/app-check-ssh-keys.js	matched ".ssh"	30
high	Credential file access	package/node_modules/@npmcli/arborist/lib/consistent-resolve.js	matched ".ssh"	30
high	Credential file access	package/node_modules/@npmcli/arborist/lib/dep-valid.js	matched ".ssh"	30
high	DNS / OAST exfiltration	package/node_modules/@npmcli/agent/lib/dns.js	matched "dns.lookup"	30
high	DNS / OAST exfiltration	package/node_modules/retry/example/dns.js	matched "dns.resolve"	30
high	Credential file access	package/node_modules/node-forge/dist/forge.all.min.js	matched ".ssh"	30
high	Credential file access	package/node_modules/node-forge/dist/forge.min.js	matched ".ssh"	30
high	Credential file access	package/node_modules/pacote/lib/git.js	matched ".ssh"	30
high	Credential file access	package/sources/github.js	matched "id_rsa"	30
high	Credential file access	package/index.js	matched ".ssh"	30
high	Credential file access	package/node_modules/hosted-git-info/lib/index.js	matched ".ssh"	30
high	Credential file access	package/node_modules/is-lambda/index.js	matched ".AWS"	30
high	Credential file access	package/node_modules/npm-package-arg/node_modules/hosted-git-info/lib/index.js	matched ".ssh"	30
high	Credential file access	package/node_modules/npm-packlist/lib/index.js	matched ".npmrc"	30
high	DNS / OAST exfiltration	package/node_modules/socks-proxy-agent/dist/index.js	matched "dns.lookup"	30
high	Credential file access	package/components/l337-v4.js	matched ".ssh"	30
high	Credential file access	package/builders/lando-v4.js	matched ".npmrc"	30
high	DNS / OAST exfiltration	package/node_modules/@sigstore/sign/node_modules/make-fetch-happen/lib/options.js	matched "dns.lookup"	30
high	DNS / OAST exfiltration	package/node_modules/make-fetch-happen/lib/options.js	matched "dns.lookup"	30
high	DNS / OAST exfiltration	package/node_modules/npm-profile/node_modules/make-fetch-happen/lib/options.js	matched "dns.lookup"	30
high	DNS / OAST exfiltration	package/node_modules/npm-registry-fetch/node_modules/make-fetch-happen/lib/options.js	matched "dns.lookup"	30
high	DNS / OAST exfiltration	package/node_modules/sigstore/node_modules/make-fetch-happen/lib/options.js	matched "dns.lookup"	30
high	DNS / OAST exfiltration	package/node_modules/tuf-js/node_modules/make-fetch-happen/lib/options.js	matched "dns.lookup"	30
high	Credential file access	package/hooks/plugin-auth-from-npmrc.js	matched ".npmrc"	30
high	Credential file access	package/packages/ssh-agent/ssh-agent.js	matched ".SSH"	30
high	Credential file access	package/node_modules/node-forge/lib/ssh.js	matched ".ssh"	30
high	Credential file access	package/node_modules/is-lambda/test.js	matched ".AWS"	30

Show all 377 findings (low-signal and informational)

Showing 60 of 377 findings.

Severity	Kind	Path	Detail	Points
high	Known Indicator Filename	package/node_modules/@sigstore/bundle/dist/bundle.js	package/node_modules/@sigstore/bundle/dist/bundle.js	45
high	Known Indicator Filename	package/node_modules/@sigstore/sign/dist/bundler/bundle.js	package/node_modules/@sigstore/sign/dist/bundler/bundle.js	45
high	Credential file access	package/builders/_lando.js	matched ".ssh"	30
high	Credential file access	package/hooks/app-check-ssh-keys.js	matched ".ssh"	30
high	Credential file access	package/node_modules/@npmcli/arborist/lib/consistent-resolve.js	matched ".ssh"	30
high	Credential file access	package/node_modules/@npmcli/arborist/lib/dep-valid.js	matched ".ssh"	30
high	DNS / OAST exfiltration	package/node_modules/@npmcli/agent/lib/dns.js	matched "dns.lookup"	30
high	DNS / OAST exfiltration	package/node_modules/retry/example/dns.js	matched "dns.resolve"	30
high	Credential file access	package/node_modules/node-forge/dist/forge.all.min.js	matched ".ssh"	30
high	Credential file access	package/node_modules/node-forge/dist/forge.min.js	matched ".ssh"	30
high	Credential file access	package/node_modules/pacote/lib/git.js	matched ".ssh"	30
high	Credential file access	package/sources/github.js	matched "id_rsa"	30
high	Credential file access	package/index.js	matched ".ssh"	30
high	Credential file access	package/node_modules/hosted-git-info/lib/index.js	matched ".ssh"	30
high	Credential file access	package/node_modules/is-lambda/index.js	matched ".AWS"	30
high	Credential file access	package/node_modules/npm-package-arg/node_modules/hosted-git-info/lib/index.js	matched ".ssh"	30
high	Credential file access	package/node_modules/npm-packlist/lib/index.js	matched ".npmrc"	30
high	DNS / OAST exfiltration	package/node_modules/socks-proxy-agent/dist/index.js	matched "dns.lookup"	30
high	Credential file access	package/components/l337-v4.js	matched ".ssh"	30
high	Credential file access	package/builders/lando-v4.js	matched ".npmrc"	30
high	DNS / OAST exfiltration	package/node_modules/@sigstore/sign/node_modules/make-fetch-happen/lib/options.js	matched "dns.lookup"	30
high	DNS / OAST exfiltration	package/node_modules/make-fetch-happen/lib/options.js	matched "dns.lookup"	30
high	DNS / OAST exfiltration	package/node_modules/npm-profile/node_modules/make-fetch-happen/lib/options.js	matched "dns.lookup"	30
high	DNS / OAST exfiltration	package/node_modules/npm-registry-fetch/node_modules/make-fetch-happen/lib/options.js	matched "dns.lookup"	30
high	DNS / OAST exfiltration	package/node_modules/sigstore/node_modules/make-fetch-happen/lib/options.js	matched "dns.lookup"	30
high	DNS / OAST exfiltration	package/node_modules/tuf-js/node_modules/make-fetch-happen/lib/options.js	matched "dns.lookup"	30
high	Credential file access	package/hooks/plugin-auth-from-npmrc.js	matched ".npmrc"	30
high	Credential file access	package/packages/ssh-agent/ssh-agent.js	matched ".SSH"	30
high	Credential file access	package/node_modules/node-forge/lib/ssh.js	matched ".ssh"	30
high	Credential file access	package/node_modules/is-lambda/test.js	matched ".AWS"	30
high	Credential file access	package/lib/updates.js	matched "GITHUB_TOKEN"	30
high	Credential file access	package/node_modules/object-treeify/package.json	matched ".aws"	30
high	Credential file access	package/scripts/load-keys.sh	matched ".ssh"	30
high	Credential file access	package/scripts/user-perms.sh	matched ".ssh"	30
high	Credential file access	package/node_modules/valid-path/.github/workflows/cd.yml	matched ".npmrc"	30
high	Credential file access	package/node_modules/node-gyp/gyp/.github/workflows/release-please.yml	matched "GITHUB_TOKEN"	30
medium	Obfuscation Density	package/node_modules/esprima/dist/esprima.js	high encoded/escaped-token density	12
medium	Remote Payload	package/node_modules/hosted-git-info/lib/hosts.js	matched "raw.githubusercontent.com"	12
medium	Remote Payload	package/node_modules/npm-package-arg/node_modules/hosted-git-info/lib/hosts.js	matched "raw.githubusercontent.com"	12
medium	Remote Payload	package/node_modules/node-fetch/lib/index.es.js	matched "cURL "	12
medium	Obfuscation Density	package/node_modules/@isaacs/cliui/node_modules/emoji-regex/es2015/index.js	high encoded/escaped-token density	12
medium	Obfuscation Density	package/node_modules/@isaacs/cliui/node_modules/emoji-regex/index.js	high encoded/escaped-token density	12
medium	Remote Payload	package/node_modules/@sigstore/sign/node_modules/minipass-fetch/lib/index.js	matched "cURL "	12
medium	Obfuscation Density	package/node_modules/emoji-regex/es2015/index.js	high encoded/escaped-token density	12
medium	Obfuscation Density	package/node_modules/emoji-regex/index.js	high encoded/escaped-token density	12
medium	Obfuscation Density	package/node_modules/listr2/node_modules/emoji-regex/es2015/index.js	high encoded/escaped-token density	12
medium	Obfuscation Density	package/node_modules/listr2/node_modules/emoji-regex/index.js	high encoded/escaped-token density	12
medium	Remote Payload	package/node_modules/minipass-fetch/lib/index.js	matched "cURL "	12
medium	Remote Payload	package/node_modules/node-fetch/lib/index.js	matched "cURL "	12
medium	Remote Payload	package/node_modules/npm-profile/node_modules/minipass-fetch/lib/index.js	matched "cURL "	12
medium	Remote Payload	package/node_modules/npm-registry-fetch/node_modules/minipass-fetch/lib/index.js	matched "cURL "	12
medium	Remote Payload	package/node_modules/sigstore/node_modules/minipass-fetch/lib/index.js	matched "cURL "	12
medium	Obfuscation Density	package/node_modules/tr46/index.js	high encoded/escaped-token density	12
medium	Remote Payload	package/node_modules/tuf-js/node_modules/minipass-fetch/lib/index.js	matched "cURL "	12
medium	Remote Payload	package/node_modules/undici/lib/web/fetch/index.js	matched "curl "	12
medium	Remote Payload	package/hooks/lando-setup-buildx.js	matched "github.com/docker/buildx/releases/download"	12
medium	Remote Payload	package/hooks/lando-setup-orchestrator.js	matched "github.com/docker/compose/releases/download"	12
medium	Obfuscation Density	package/node_modules/lodash/lodash.js	high encoded/escaped-token density	12
medium	Obfuscation Density	package/node_modules/lodash/lodash.min.js	high encoded/escaped-token density	12
medium	Remote Payload	package/node_modules/@npmcli/arborist/node_modules/npm-package-arg/lib/npa.js	matched "cUrl\n "	12

Manifest

Package metadata

Scripts13

coveragenyc report --reporter=text-lcov | coveralls
docs:buildVPL_MVB_VERSION=$(git describe --tags --always --abbrev=1 --match="v[0-9].*") vitepress build docs && npm run docs:rename-sitemap
docs:devVPL_BASE_URL=http://localhost:5173 VPL_MVB_VERSION=$(git describe --tags --always --abbrev=1 --match="v[0-9].*") vitepress dev docs
docs:mvbnpx mvb docs && npm run docs:rename-sitemap
docs:previewvitepress preview docs
docs:rename-sitemapnode docs/.vitepress/rename-sitemap.js
linteslint . --ext .js --ext .mjs
pkgpkg --config package.json --output dist/lando ---targets node20 --options 'dns-result-order=ipv4first' bin/lando
testnpm run lint && npm run test:unit
test:leialeia "examples/**/README.md" -c 'Destroy tests' --stdin
test:unitnyc --reporter=html --reporter=text mocha --timeout 5000 test/**/*.spec.js
typechecktsc --project jsconfig.json 2>&1 | grep -v '^node_modules/' || true
typecheck:fulltsc --project jsconfig.json || true

Dependencies61

@lando/argv^1.2.0
@npmcli/agent^2.2.2
@npmcli/arborist^6.2.9
@oclif/core^3.27.0
@octokit/rest^19
axios^1.5.1
bluebird^3.4.1
chalk^4.1.2
clean-stacktrace^1.1.0
cli-table^0.3.11
cli-table3^0.6.5
cli-truncate2.1.0
copy-dir^0.4.0
debug^4.3.4
delay^5
dockerfile-generator^5.0.0
dockerfile-utils^0.15.0
dockerode^2.4.2
enquirer^2.4.1
figlet^1.8.0
figures^3.2.0
fs-extra^11.1.1
glob^7.1.3
ini^5.0.0
inquirer^6.5.2
inquirer-autocomplete-prompt^1.4.0
is-class^0.0.9
is-docker^2.2.1
is-interactive^1
is-root^2
…and 31 more.