PkgRadar

Package evidence

@kodus/[email protected]

Credential file access: matched "GITHUB_TOKEN"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Publisher
GitHub ActionsTrusted automation · −70% score

Effective trust discount applied: 70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@kodus/[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@kodus/[email protected]"],"fail_on":"high"}'
PublisherGitHub Actions
Artifact bytes245,778
Previous version0.4.15
Published2026-05-11T16:45:23.307Z
SHA-2564c7104d402381cb98e06911cd584b9802631add0e4b81639253991740f9e3c0d

Why flagged

What the scanner saw

Credential file access: matched "GITHUB_TOKEN"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

high
Last checked
highRisk
114Score
0.4.16Version
Status history (1 event)
  1. newavailable · risk high · score 114 · status changed

Evidence

Static findings

8 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
highCredential file accesspackage/dist/features/review/command.jsmatched "GITHUB_TOKEN"30
highCredential file accesspackage/dist/utils/git-remote.jsmatched ".azure"30
highCredential file accesspackage/dist/commands/auth/login.jsmatched ".SSH"30
mediumRemote Payloadpackage/dist/utils/install-instructions.jsmatched "raw.githubusercontent.com"12
Show all 8 findings (low-signal and informational)
SeverityKindPathDetailPoints
highCredential file accesspackage/dist/features/review/command.jsmatched "GITHUB_TOKEN"30
highCredential file accesspackage/dist/utils/git-remote.jsmatched ".azure"30
highCredential file accesspackage/dist/commands/auth/login.jsmatched ".SSH"30
mediumRemote Payloadpackage/dist/utils/install-instructions.jsmatched "raw.githubusercontent.com"12
lowObfuscationpackage/dist/services/api/auth.api.jsmatched "Buffer.from(parts[1], 'base64"3
lowObfuscationpackage/dist/services/auth.service.jsmatched "Buffer.from(parts[1], 'base64"3
lowObfuscationpackage/dist/commands/memory/disable.jsmatched "\\u2713"3
lowObfuscationpackage/dist/commands/memory/enable.jsmatched "\\u2713"3

Manifest

Package metadata

Scripts20
  • buildyarn clean && tsc && chmod +x dist/index.js
  • checkyarn format:check && yarn lint
  • cleanrm -rf dist
  • devtsc --watch
  • formatprettier --write .
  • format:checkprettier --check .
  • linteslint src --ext .ts
  • lint:fixeslint src --ext .ts --fix
  • prepublishOnlyyarn build
  • skills:promptnode scripts/skills-to-prompt.mjs --format=xml
  • skills:prompt:jsonnode scripts/skills-to-prompt.mjs --format=json
  • skills:syncnode scripts/sync-skills-aliases.mjs
  • skills:validatenode scripts/validate-skills.mjs
  • startnode dist/index.js
  • start:localKODUS_API_URL=http://localhost:3001 node dist/index.js
  • start:qaKODUS_API_URL=https://qa.api.kodus.io node dist/index.js
  • testvitest run
  • test:installersh tests/install_business_rules_validation_test.sh
  • test:integrationyarn build && vitest run --config vitest.integration.config.ts
  • test:watchvitest
Dependencies17
  • @inquirer/prompts^8.4.2
  • boxen^8.0.1
  • chalk^5.6.2
  • clipboardy^5.3.1
  • commander^14.0.3
  • execa^9.6.1
  • figlet^1.11.0
  • gradient-string^3.0.0
  • hunkdiff0.10.0
  • latest-version^9.0.0
  • node-machine-id^1.1.12
  • open^11.0.0
  • ora^9.4.0
  • simple-git^3.36.0
  • undici^8.1.0
  • update-notifier^7.3.1
  • yaml^2.8.3