PkgRadar

Package evidence

@internxt/[email protected]

Credential File Packaged: package/.env

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
99
Versions published
57Mature · −50% score
First published
Apr 2024
Publisher
fvsegarra

Effective trust discount applied: 50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@internxt/[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@internxt/[email protected]"],"fail_on":"high"}'
Publisherfvsegarra
Artifact bytes68,118
Previous version1.6.1
Published2026-01-26T16:04:53.460Z
SHA-256bef5373263d0d46495b86d6264c7b7ff1d0d5b344dfc505d1078808caa0ebc92

Why flagged

What the scanner saw

Credential File Packaged: package/.env

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

high
Last checked
highRisk
20Score
1.6.2Version
Status history (1 event)
  1. newavailable · risk high · score 20 · status changed

Evidence

Static findings

2 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
highCredential File Packagedpackage/.envpackage/.env35
Show all 2 findings (low-signal and informational)
SeverityKindPathDetailPoints
highCredential File Packagedpackage/.envpackage/.env35
lowInstall-time lifecycle scriptpackage.jsonpostinstall="node ./scripts/restart-webdav.js"5

Manifest

Package metadata

Scripts16
  • buildyarn clean && tsc
  • cleanrimraf dist coverage tsconfig.tsbuildinfo oclif.manifest.json
  • dev:webdavnodemon -e ts --exec ts-node src/webdav/index.ts
  • formatprettier --write **/*.{js,jsx,tsx,ts}
  • linteslint .
  • pack:winoclif pack win
  • postinstallnode ./scripts/restart-webdav.js
  • postpackrimraf oclif.manifest.json
  • posttestyarn lint
  • prepackyarn build && oclif manifest && oclif readme
  • preparehusky || true
  • publish:githubnpm run build && npm publish --scope=@internxt --registry=https://npm.pkg.github.com --tag latest
  • publish:npmnpm run build && npm publish --scope=@internxt --registry=https://registry.npmjs.org/ --access public
  • testyarn test:unit
  • test:unitvitest run --coverage
  • test:watchvitest watch
Dependencies24
  • @inquirer/prompts8.2.0
  • @internxt/inxt-js2.2.9
  • @internxt/lib1.4.1
  • @internxt/sdk1.12.0
  • @oclif/core4.8.0
  • @oclif/plugin-autocomplete3.2.39
  • axios1.13.2
  • bip393.1.0
  • body-parser2.2.2
  • cli-progress3.12.0
  • dayjs1.11.19
  • dotenv17.2.3
  • express5.2.1
  • express-async-handler1.2.0
  • fast-xml-parser5.3.3
  • mime-types3.0.2
  • open11.0.0
  • openpgp6.3.0
  • otpauth9.4.1
  • pm26.0.14
  • range-parser1.2.1
  • selfsigned5.5.0
  • tty-table5.0.0
  • winston3.19.0
Optional dependencies1
  • sharp0.34.5