PkgRadar

Package evidence

@ledgerhq/[email protected]

Credential file access: matched ".aws"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
5,551Niche · −30% score
Versions published
2,347Mature · −50% score
First published
Apr 2018
Publisher
ldg-github-ci

Effective trust discount applied: 50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@ledgerhq/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@ledgerhq/[email protected]"],"fail_on":"review"}'
Publisherldg-github-ci
Artifact bytes3,288,246
Previous version35.0.0-nightly.20260526030636
Published2026-05-27T03:16:28.573Z
SHA-256e194ea62716af442edafc367f2e59174ebe5bfd6c8beea5e3554ba77c3a9258a

Why flagged

What the scanner saw

Credential file access: matched ".aws"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
4Score
35.0.0-nightly.20260527030754Version
Status history (1 event)
  1. newavailable · risk review · score 4 · status changed

Evidence

Static findings

3 static · 0 from release diff · showing high-signal first.

No high-signal findings — see all findings below.

Show all 3 findings (low-signal and informational)
SeverityKindPathDetailPoints
lowCredential file accesspackage/lib-es/featureFlags/defaultFeatures.jsmatched ".aws"5
lowCredential file accesspackage/lib/featureFlags/defaultFeatures.jsmatched ".aws"5
lowCredential file accesspackage/src/featureFlags/defaultFeatures.tsmatched ".aws"5

Manifest

Package metadata

Scripts23
  • buildzx ./scripts/build-ts.mjs
  • ci-lintpnpm lint:ci
  • ci-test-integrationenv-cmd -f .ci.integration.env pnpm jest --ci --updateSnapshot --passWithNoTests
  • ci-test-integration:debugenv-cmd -f .ci.integration.env node --inspect-wait ./node_modules/jest/bin/jest.js --runInBand --ci --updateSnapshot --passWithNoTests
  • ci-test-unitenv-cmd -f .ci.unit.env pnpm jest --ci --updateSnapshot && git diff --exit-code src
  • coverageenv-cmd -f .ci.unit.env pnpm jest --coverage --ci
  • formatoxfmt src
  • format:checkoxfmt src --check
  • jestjest
  • jest:debugcross-env TZ=America/New_York node --inspect-brk ./node_modules/jest/bin/jest.js --runInBand
  • lintoxlint src
  • lint:cioxlint src --quiet
  • lint:fixoxlint src --fix --quiet
  • prettierprettier --write 'src/**/*.?s'
  • testpnpm ci-test-unit
  • test-account-migrationtsx src/__tests__/migration/account-migration.ts
  • test-bridgeenv-cmd -f .ci.bridge.env pnpm jest --ci --updateSnapshot --passWithNoTests --runInBand
  • test-bridge-updateUPDATE_BACKEND_MOCKS=1 env-cmd -f .ci.integration.env pnpm jest --ci --updateSnapshot --passWithNoTests
  • typechecktsc --noEmit -p src/tsconfig.json --customConditions node
  • unimportedunimported
  • updateAppSupportsQuitAppnode scripts/updateAppSupportsQuitApp.js
  • watchzx ./scripts/watch-ts.mjs
  • watch:eszx ./scripts/watch-ts-es.mjs
Dependencies144
  • @blooo/hw-app-acre^1.1.1
  • @cardano-foundation/ledgerjs-hw-app-cardano^7.1.2
  • @ledgerhq/asset-aggregation^0.6.0-nightly.20260527030754
  • @ledgerhq/client-ids^0.9.2-nightly.20260527030754
  • @ledgerhq/coin-aleo^1.13.0-nightly.20260527030754
  • @ledgerhq/coin-algorand^1.6.0-nightly.20260527030754
  • @ledgerhq/coin-aptos^3.20.0-nightly.20260527030754
  • @ledgerhq/coin-bitcoin^0.42.0-nightly.20260527030754
  • @ledgerhq/coin-canton^0.25.0-nightly.20260527030754
  • @ledgerhq/coin-cardano^0.25.4-nightly.20260527030754
  • @ledgerhq/coin-casper^2.13.4-nightly.20260527030754
  • @ledgerhq/coin-celo^2.3.1-nightly.20260527030754
  • @ledgerhq/coin-concordium^0.12.0-nightly.20260527030754
  • @ledgerhq/coin-cosmos^0.33.2-nightly.20260527030754
  • @ledgerhq/coin-evm^4.0.0-nightly.20260527030754
  • @ledgerhq/coin-filecoin^1.24.4-nightly.20260527030754
  • @ledgerhq/coin-hedera^1.32.0-nightly.20260527030754
  • @ledgerhq/coin-icon^0.23.2-nightly.20260527030754
  • @ledgerhq/coin-internet_computer^1.22.2-nightly.20260527030754
  • @ledgerhq/coin-kaspa^1.14.2-nightly.20260527030754
  • @ledgerhq/coin-mina^1.15.2-nightly.20260527030754
  • @ledgerhq/coin-module-framework3.1.0
  • @ledgerhq/coin-multiversx^0.17.1-nightly.20260527030754
  • @ledgerhq/coin-near^0.25.4-nightly.20260527030754
  • @ledgerhq/coin-polkadot^6.27.0-nightly.20260527030754
  • @ledgerhq/coin-solana^0.54.0-nightly.20260527030754
  • @ledgerhq/coin-stacks^0.21.4-nightly.20260527030754
  • @ledgerhq/coin-stellar^6.23.0-nightly.20260527030754
  • @ledgerhq/coin-sui^0.35.0-nightly.20260527030754
  • @ledgerhq/coin-tezos^7.3.0-nightly.20260527030754
  • …and 114 more.
Optional dependencies4
  • @oxlint/binding-darwin-arm641.51.0
  • @oxlint/binding-darwin-x641.51.0
  • @oxlint/binding-linux-x64-gnu1.51.0
  • @oxlint/binding-win32-x64-msvc1.51.0