PkgRadar

Package evidence

@getpaseo/[email protected]

Credential file access: matched ".ssh"

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@getpaseo/[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@getpaseo/[email protected]"],"fail_on":"high"}'
Publisherboudra
Artifact bytes2,431,992
Previous version0.1.80
Published2026-05-24T06:13:28.864Z
SHA-256e8310121755e11a8f2d191ab349b629a66946408dc445c8d19862ed7bd9e3561

Why flagged

What the scanner saw

Credential file access: matched ".ssh"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

high
Last checked
highRisk
78Score
0.1.81Version
Status history (1 event)
  1. newavailable · risk high · score 78 · status changed

Related candidates

Linked campaigns and clusters

Publisher / release actor burststale

boudra

2 members · evidence strength 59

Evidence

Static findings

14 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
highCredential file accesspackage/dist/server/services/github-service.jsmatched ".ssh"30
mediumRemote Payloadpackage/dist/server/server/speech/providers/local/sherpa/model-catalog.jsmatched "github.com/k2-fsa/sherpa-onnx/releases/download"12
Show all 14 findings (low-signal and informational)
SeverityKindPathDetailPoints
highCredential file accesspackage/dist/server/services/github-service.jsmatched ".ssh"30
mediumRemote Payloadpackage/dist/server/server/speech/providers/local/sherpa/model-catalog.jsmatched "github.com/k2-fsa/sherpa-onnx/releases/download"12
lowObfuscationpackage/dist/server/server/agent/providers/codex-app-server-agent.jsmatched "Buffer.from(trimmed, \"base64"3
lowObfuscationpackage/dist/server/server/agent/providers/codex-rollout-timeline.jsmatched "\\u0000"3
lowObfuscationpackage/dist/server/shared/connection-offer.jsmatched "atob("3
lowObfuscationpackage/dist/server/server/pagination/cursor.jsmatched "Buffer.from(cursor, \"base64"3
lowObfuscationpackage/dist/server/client/daemon-client.jsmatched "atob("3
lowObfuscationpackage/dist/server/server/dictation/dictation-stream-manager.jsmatched "Buffer.from(params.audioBase64, \"base64"3
lowObfuscationpackage/dist/server/server/agent/mcp-server.jsmatched "\\u001b"3
lowObfuscationpackage/dist/server/server/session.jsmatched "Buffer.from(msg.audio, \"base64"3
lowObfuscationpackage/dist/server/shared/terminal-input-mode.jsmatched "fromCharCode"3
lowObfuscationpackage/dist/server/shared/terminal-snapshot.jsmatched "\\u001b"3
lowObfuscationpackage/dist/server/terminal/terminal.jsmatched "fromCharCode"3
lowObfuscationpackage/dist/server/server/voice/voice-turn-controller.jsmatched "Buffer.from(input.audioBase64, \"base64"3

Manifest

Package metadata

Scripts26
  • buildnode -e "require('node:fs').rmSync('dist',{ recursive: true, force: true })" && npm run build:lib && npm run build:scripts
  • build:libtsc -p tsconfig.server.json --incremental false && node -e "const fs=require('node:fs'); fs.mkdirSync('dist/server/server/speech/providers/local/sherpa/assets',{recursive:true}); fs.copyFileSync('src/server/speech/providers/local/sherpa/assets/silero_vad.onnx','dist/server/server/speech/providers/local/sherpa/assets/silero_vad.onnx'); fs.cpSync('src/terminal/shell-integration','dist/server/terminal/shell-integration',{recursive:true}); fs.cpSync('src/terminal/shell-integration','dist/src/terminal/shell-integration',{recursive:true}); fs.copyFileSync('src/terminal/terminal-ts-loader.mjs','dist/server/terminal/terminal-ts-loader.mjs');"
  • build:scriptstsc -p tsconfig.scripts.json --incremental false && node -e "const fs=require('node:fs'); fs.mkdirSync('dist/scripts',{recursive:true}); fs.copyFileSync('scripts/mcp-stdio-socket-bridge-cli.mjs','dist/scripts/mcp-stdio-socket-bridge-cli.mjs');"
  • devcross-env PASEO_NODE_ENV=development node --import tsx scripts/dev-runner.ts
  • dev:tsxcross-env PASEO_NODE_ENV=development tsx watch --ignore '**/*.timestamp-*' scripts/dev-runner.ts
  • generate:config-schematsx scripts/generate-config-schema.ts
  • prepacknpm run build
  • speech:downloadtsx scripts/download-speech-models.ts
  • speech:modelstsx scripts/list-speech-models.ts
  • speech:transcribe:localtsx scripts/transcribe-local-wav.ts
  • speech:tts:matrixtsx scripts/generate-sherpa-tts-matrix.ts
  • startnode dist/scripts/supervisor-entrypoint.js
  • testnpm run test:unit && npm run test:integration
  • test:e2evitest run e2e.test.ts --maxWorkers=1 --exclude "**/*.real.e2e.test.ts" --exclude "**/*.local.e2e.test.ts"
  • test:e2e:allvitest run e2e.test.ts --maxWorkers=1
  • test:e2e:localnpm run test:integration:local
  • test:e2e:realnpm run test:integration:real
  • test:e2e:uivitest --ui e2e.test.ts
  • test:integrationvitest run --maxWorkers=1 src/server/daemon-e2e/models.e2e.test.ts src/server/daemon-e2e/live-preferences.e2e.test.ts src/server/agent/model-catalog.e2e.test.ts
  • test:integration:allnpm run test:e2e
  • test:integration:localvitest run local.e2e.test.ts
  • test:integration:realvitest run real.e2e.test.ts
  • test:uivitest --ui
  • test:unitvitest run --exclude "**/*.e2e.test.ts"
  • test:watchvitest
  • typechecktsgo -p tsconfig.server.typecheck.json --noEmit
Dependencies34
  • @agentclientprotocol/sdk^0.17.1
  • @anthropic-ai/claude-agent-sdk^0.2.133
  • @getpaseo/highlight0.1.81
  • @getpaseo/relay0.1.81
  • @isaacs/ttlcache^2.1.4
  • @modelcontextprotocol/sdk^1.20.1
  • @opencode-ai/sdk1.14.46
  • @sctg/sentencepiece-js^1.1.0
  • @xterm/headless^6.0.0
  • ai5.0.78
  • ajv^8.20.0
  • bcryptjs^3.0.3
  • dotenv^17.2.3
  • express^4.18.2
  • fast-deep-equal^3.1.3
  • mnemonic-id^3.2.7
  • node-pty1.2.0-beta.11
  • onnxruntime-node^1.23.0
  • openai^4.20.0
  • p-limit^7.3.0
  • p-memoize^8.0.0
  • pino^10.2.0
  • pino-pretty^13.1.3
  • qrcode^1.5.4
  • rotating-file-stream^3.2.9
  • sherpa-onnx1.12.28
  • sherpa-onnx-node1.12.28
  • strip-ansi^7.1.2
  • tree-kill^1.2.2
  • uuid^9.0.1
  • …and 4 more.