PkgRadar

Package evidence

@grinrus/[email protected]

Credential file access: matched "GITHUB_TOKEN"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Publisher
GitHub ActionsTrusted automation · −70% score

Effective trust discount applied: 70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@grinrus/[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@grinrus/[email protected]"],"fail_on":"high"}'
PublisherGitHub Actions
Artifact bytes334,353
Previous version0.1.0-alpha.2
Published2026-05-24T18:47:16.072Z
SHA-2566c9747d5d97a8aa09190454d2b6eaacc2b84e71628a20b0b4b5a4cc9a723c08a

Why flagged

What the scanner saw

Credential file access: matched "GITHUB_TOKEN"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

high
Last checked
highRisk
60Score
0.1.0-alpha.3Version
Status history (1 event)
  1. newavailable · risk high · score 60 · status changed

Evidence

Static findings

2 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
highCredential file accesspackage/packages/orchestrator-core/src/operator-cli/command-handler.mjsmatched "GITHUB_TOKEN"30
highCredential file accesspackage/packages/orchestrator-core/src/delivery-mode-runners.mjsmatched "GITHUB_TOKEN"30

Manifest

Package metadata

Scripts17
  • aornode ./apps/cli/bin/aor.mjs
  • buildnode ./scripts/build.mjs
  • checknode ./scripts/lint.mjs && node ./scripts/test.mjs && node ./scripts/build.mjs
  • lintnode ./scripts/lint.mjs
  • production:readynode ./scripts/production-readiness.mjs
  • release:gatepnpm check && pnpm production:ready && pnpm release:verify && pnpm release:pack && pnpm release:smoke
  • release:packnode ./scripts/release-pack.mjs
  • release:smokenode ./scripts/release-smoke.mjs
  • release:verifynode ./scripts/release-verify.mjs
  • slice:completenode ./scripts/slice-cycle.mjs complete
  • slice:gatenode ./scripts/slice-cycle.mjs gate
  • slice:nextnode ./scripts/slice-cycle.mjs next
  • slice:plannode ./scripts/slice-cycle.mjs plan
  • slice:statusnode ./scripts/slice-cycle.mjs status
  • slice:sync-readynode ./scripts/slice-cycle.mjs sync-ready
  • testnode ./scripts/test.mjs
  • test:referencesnode ./scripts/reference-integrity.mjs
Dependencies1
  • yaml^2.8.1