PkgRadar

Package evidence

@goyamegh/[email protected]

Credential file access: matched "AWS_ACCESS_KEY"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
72
Versions published
72
First published
Jan 2026
Publisher
goyamegh

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@goyamegh/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@goyamegh/[email protected]"],"fail_on":"review"}'
Publishergoyamegh
Artifact bytes1,518,399
Previous version0.5.6
Published2026-05-12T22:15:24.758Z
SHA-2564c09be0e03186d9e38d0451c46338473d6f0df415e374d9a40d50ff2544fc561

Why flagged

What the scanner saw

Credential file access: matched "AWS_ACCESS_KEY"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
20Score
0.5.7Version
Status history (1 event)
  1. newavailable · risk review · score 20 · status changed

Evidence

Static findings

4 static · 0 from release diff · showing high-signal first.

No high-signal findings — see all findings below.

Show all 4 findings (low-signal and informational)
SeverityKindPathDetailPoints
lowCredential file accesspackage/server/dist/app.jsmatched "AWS_ACCESS_KEY"5
lowCredential file accesspackage/cli/dist/index.jsmatched "AWS_ACCESS_KEY"5
lowCredential file accesspackage/lib/dist/config/index.jsmatched "AWS_ACCESS_KEY"5
lowCredential file accesspackage/server/dist/index.jsmatched "AWS_ACCESS_KEY"5

Manifest

Package metadata

Scripts27
  • buildtsc && vite build
  • build:allnpm run build && npm run build:server && npm run build:cli && npm run build:lib
  • build:cliesbuild cli/index.ts --bundle --platform=node --format=esm --outdir=cli/dist --packages=external --external:inquirer
  • build:libesbuild lib/index.ts lib/config/index.ts --bundle --platform=node --format=esm --outdir=lib/dist --packages=external
  • build:serveresbuild server/index.ts server/app.ts --bundle --platform=node --format=esm --outdir=server/dist --packages=external
  • demonpm run build:all && node cli/dist/index.js
  • devvite
  • dev:allnpm run dev:server
  • dev:servernpm run build:server && node server/dist/index.js
  • evalts-node src/eval_framework/cli.ts
  • eval:text-to-pplts-node src/eval_framework/cli.ts run --benchmark benchmarks/text_to_ppl/test_cases.json
  • migrate:labelsts-node scripts/migrate-to-labels.ts
  • migrate:labels:cleanupts-node scripts/migrate-to-labels.ts --cleanup
  • migrate:labels:dry-runts-node scripts/migrate-to-labels.ts --dry-run --verbose
  • prepublishOnlynpm run build:all
  • previewvite preview
  • servernpm run build && npm run build:server && node server/dist/index.js
  • start:observiocd observio-sample-agent && npm install --legacy-peer-deps --silent && npm run start:ag-ui
  • testjest
  • test:allnpm run test:unit && npm run test:integration && npm run test:e2e
  • test:e2eplaywright test
  • test:e2e:reportplaywright show-report
  • test:e2e:uiplaywright test --ui
  • test:integrationjest --testPathPatterns='tests/integration'
  • test:integration:experimentRunnerjest --testPathPatterns=experimentRunner
  • test:integration:tracePollerjest --testPathPatterns=tracePoller
  • test:unitjest --testPathPatterns='__tests__|.test.ts' --testPathIgnorePatterns='tests/integration|tests/e2e'
Dependencies58
  • @ag-ui/core^0.0.41
  • @assistant-ui/react^0.14.0
  • @aws-sdk/client-bedrock^3.1000.0
  • @aws-sdk/client-bedrock-agent^3.1038.0
  • @aws-sdk/client-bedrock-agent-runtime^3.1038.0
  • @aws-sdk/client-bedrock-runtime^3.1000.0
  • @aws-sdk/credential-providers^3.1000.0
  • @opensearch-project/opensearch^3.5.1
  • @opentelemetry/api^1.9.1
  • @opentelemetry/exporter-trace-otlp-http^0.217.0
  • @opentelemetry/exporter-trace-otlp-proto^0.216.0
  • @opentelemetry/resources^2.6.1
  • @opentelemetry/sdk-trace-node^2.6.1
  • @opentelemetry/semantic-conventions^1.38.0
  • @radix-ui/react-alert-dialog^1.1.15
  • @radix-ui/react-checkbox^1.3.3
  • @radix-ui/react-collapsible^1.1.12
  • @radix-ui/react-dialog^1.1.15
  • @radix-ui/react-dropdown-menu^2.1.16
  • @radix-ui/react-label^2.1.8
  • @radix-ui/react-progress^1.1.8
  • @radix-ui/react-scroll-area^1.2.10
  • @radix-ui/react-select^2.2.6
  • @radix-ui/react-separator^1.1.8
  • @radix-ui/react-slot^1.2.4
  • @radix-ui/react-switch^1.2.6
  • @radix-ui/react-tabs^1.1.13
  • @radix-ui/react-tooltip^1.2.8
  • @xyflow/react^12.0.0
  • chalk^5.3.0
  • …and 28 more.
Optional dependencies1
  • puppeteer^24.37.4