PkgRadar

Package evidence

@kodax-ai/[email protected]

Credential file access: matched ".SSH"

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@kodax-ai/[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@kodax-ai/[email protected]"],"fail_on":"high"}'
Publishericetomoyo
Artifact bytes1,495,256
Previous version0.7.41
Published2026-05-22T11:24:40.383Z
SHA-25691ad9b12a59ad67061d6408d5c06b5e1e3b25e071d4376dbf2031a4703173eca

Why flagged

What the scanner saw

Credential file access: matched ".SSH"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

high
Last checked
highRisk
126Score
0.7.42Version
Status history (1 event)
  1. newavailable · risk high · score 126 · status changed

Related candidates

Linked campaigns and clusters

Publisher / release actor burststale

icetomoyo

2 members · evidence strength 64

Evidence

Static findings

18 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
highCredential file accesspackage/dist/chunks/chunk-ZZ4KRK2B.jsmatched ".SSH"30
mediumRemote Payloadpackage/dist/chunks/chunk-7JLYVWAF.jsmatched "Invoke-WebRequest"12
mediumObfuscation Densitypackage/dist/chunks/chunk-7JLYVWAF.jshigh encoded/escaped-token density12
mediumObfuscation Densitypackage/dist/chunks/chunk-KUX5LRPP.jshigh encoded/escaped-token density12
mediumRemote Payloadpackage/dist/chunks/chunk-ZZ4KRK2B.jsmatched "invoke-webrequest"12
mediumObfuscation Densitypackage/dist/chunks/chunk-ZZ4KRK2B.jshigh encoded/escaped-token density12
Show all 18 findings (low-signal and informational)
SeverityKindPathDetailPoints
highCredential file accesspackage/dist/chunks/chunk-ZZ4KRK2B.jsmatched ".SSH"30
mediumRemote Payloadpackage/dist/chunks/chunk-7JLYVWAF.jsmatched "Invoke-WebRequest"12
mediumObfuscation Densitypackage/dist/chunks/chunk-7JLYVWAF.jshigh encoded/escaped-token density12
mediumObfuscation Densitypackage/dist/chunks/chunk-KUX5LRPP.jshigh encoded/escaped-token density12
mediumRemote Payloadpackage/dist/chunks/chunk-ZZ4KRK2B.jsmatched "invoke-webrequest"12
mediumObfuscation Densitypackage/dist/chunks/chunk-ZZ4KRK2B.jshigh encoded/escaped-token density12
lowObfuscationpackage/dist/chunks/chunk-7JLYVWAF.jsmatched "\\u2026"3
lowObfuscationpackage/dist/chunks/chunk-CD3R5YBH.jsmatched "\\u2014"3
lowObfuscationpackage/dist/chunks/chunk-DKXUY5F2.jsmatched "\\u2014"3
lowObfuscationpackage/dist/chunks/chunk-EVIDQWMF.jsmatched "\\x1B"3
lowObfuscationpackage/dist/chunks/chunk-HMYEQJGT.jsmatched "\\u901F"3
lowObfuscationpackage/dist/chunks/chunk-KUX5LRPP.jsmatched "\\u2191"3
lowObfuscationpackage/dist/chunks/chunk-OWSKU55I.jsmatched "\\u2014"3
lowObfuscationpackage/dist/chunks/chunk-ZZ4KRK2B.jsmatched "\\u2026"3
lowObfuscationpackage/dist/chunks/construction-bootstrap-J2WOCYEK.jsmatched "\\u2014"3
lowObfuscationpackage/dist/builtin/skill-creator/scripts/generate-review.jsmatched "\\u003c"3
lowObfuscationpackage/dist/builtin/skill-creator/scripts/run-trigger-eval.jsmatched "Eval("3
lowObfuscationpackage/dist/builtin/skill-creator/scripts/utils.jsmatched "\\uFEFF"3

Manifest

Package metadata

Scripts22
  • bench:perftsx benchmark/perf/repl-render-perf.bench.ts
  • bench:perf:e2etsx benchmark/perf/repl-render-engine-e2e.bench.ts
  • buildnpm run build:packages && npm run build:bundle && npm run build:dts
  • build:binarynode scripts/build-binary.mjs
  • build:binary:allnode scripts/build-binary.mjs --all
  • build:bundlenode scripts/build-bundle.mjs
  • build:dtsnode scripts/build-dts.mjs
  • build:packagestsc -b tsconfig.build.json && npm run copy:builtin -w @kodax-ai/skills
  • cleannode -e "require('fs').rmSync('dist',{recursive:true,force:true})"
  • clean:packagesnpm run clean --workspaces
  • devnode --max-old-space-size=4096 --require ./scripts/production-env.cjs --import tsx src/kodax_cli.ts
  • dev:clinode --max-old-space-size=4096 --require ./scripts/production-env.cjs --import tsx src/kodax_cli.ts
  • dev:mem-diagnode scripts/mem-diag-launch.cjs
  • dev:mem-snapshotnode scripts/mem-diag-launch.cjs 2
  • probe:reasoningtsx scripts/probe-reasoning.ts
  • repointel:demonode clients/repointel/scripts/demo.mjs
  • repointel:doctornode clients/repointel/scripts/doctor.mjs
  • repointel:installnode clients/repointel/scripts/install.mjs
  • startnode --max-old-space-size=4096 --require ./scripts/production-env.cjs dist/kodax_cli.js
  • testvitest run
  • test:evalvitest run -c vitest.eval.config.ts
  • test:watchvitest
Dependencies43
  • @agentclientprotocol/sdk^0.15.0
  • @alcalzone/ansi-tokenize^0.2.5
  • @anthropic-ai/sdk^0.80.0
  • ansi-escapes^7.3.0
  • auto-bind^5.0.1
  • chalk^5.4.1
  • cli-boxes^3.0.0
  • cli-cursor^4.0.0
  • cli-truncate^5.2.0
  • clipboardy^4.0.0
  • code-excerpt^4.0.0
  • commander^13.1.0
  • es-toolkit^1.46.1
  • fflate^0.8.2
  • glob^11.0.1
  • iconv-lite^0.6.3
  • indent-string^5.0.0
  • ink^6.7.0
  • ink-spinner^5.0.0
  • ink-text-input^6.0.0
  • is-in-ci^2.0.0
  • jimp^1.6.0
  • js-tiktoken^1.0.12
  • openai^6.32.0
  • partial-json^0.1.7
  • patch-console^2.0.0
  • react>=19.0.0
  • react-devtools-core^7.0.1
  • react-reconciler^0.33.0
  • scheduler^0.27.0
  • …and 13 more.