Package evidence

@mavogel/[email protected]

Credential file access: matched ".aws/"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads: 396
Versions published: 89Mature · −50% score
First published: Jan 2025
Publisher: mavogel

Effective trust discount applied: −50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@mavogel/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@mavogel/[email protected]"],"fail_on":"review"}'

Publishermavogel

Artifact bytes5,038,671

Previous version0.0.89

Published2026-06-03T12:39:04.521Z

SHA-256b1b3c9d27e106db854352df2aa275e290bcb14a2ea41b2eb1790b4c2d69a8d70

Why flagged

What the scanner saw

Credential file access: matched ".aws/"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review

10d agoLast checked

reviewRisk

2Score

0.0.90Version

Status history (1 event)

new → available10d ago · risk review · score 2 · status changed

Evidence

Static findings

13 static · 0 from release diff · showing high-signal first.

No high-signal findings — see all findings below.

Show all 13 findings (low-signal and informational)

Severity	Kind	Path	Detail	Points
low	Credential file access	package/lib/installer/installer.js	matched ".aws/"	5
low	Large Javascript Payload	package/integ-tests/integ.al2023.ts.snapshot/asset.530055f7515b3f0a47900f5df37e729ba40ca977b2d07b952bdefa2b8f883f42.bundle/index.js	2071244 bytes	0
low	Obfuscation Density	package/integ-tests/integ.al2023.ts.snapshot/asset.efac30c7091c58fed492058fa6403c14f7e58aab8cf4fd595d838b8d5eeec2b9/index.js	high encoded/escaped-token density	0
low	Large Javascript Payload	package/integ-tests/integ.custom-domain.ts.snapshot/asset.530055f7515b3f0a47900f5df37e729ba40ca977b2d07b952bdefa2b8f883f42.bundle/index.js	2071244 bytes	0
low	Obfuscation Density	package/integ-tests/integ.custom-domain.ts.snapshot/asset.efac30c7091c58fed492058fa6403c14f7e58aab8cf4fd595d838b8d5eeec2b9/index.js	high encoded/escaped-token density	0
low	Large Javascript Payload	package/integ-tests/integ.stop-on-idle.ts.snapshot/asset.530055f7515b3f0a47900f5df37e729ba40ca977b2d07b952bdefa2b8f883f42.bundle/index.js	2071244 bytes	0
low	Obfuscation Density	package/integ-tests/integ.stop-on-idle.ts.snapshot/asset.efac30c7091c58fed492058fa6403c14f7e58aab8cf4fd595d838b8d5eeec2b9/index.js	high encoded/escaped-token density	0
low	Large Javascript Payload	package/integ-tests/integ.ubuntu.ts.snapshot/asset.530055f7515b3f0a47900f5df37e729ba40ca977b2d07b952bdefa2b8f883f42.bundle/index.js	2071244 bytes	0
low	Obfuscation Density	package/integ-tests/integ.ubuntu.ts.snapshot/asset.efac30c7091c58fed492058fa6403c14f7e58aab8cf4fd595d838b8d5eeec2b9/index.js	high encoded/escaped-token density	0
low	Large Javascript Payload	package/integ-tests/integ.ubuntu24.ts.snapshot/asset.530055f7515b3f0a47900f5df37e729ba40ca977b2d07b952bdefa2b8f883f42.bundle/index.js	2071244 bytes	0
low	Obfuscation Density	package/integ-tests/integ.ubuntu24.ts.snapshot/asset.efac30c7091c58fed492058fa6403c14f7e58aab8cf4fd595d838b8d5eeec2b9/index.js	high encoded/escaped-token density	0
low	Large Javascript Payload	package/integ-tests/integ.ubuntu25.ts.snapshot/asset.530055f7515b3f0a47900f5df37e729ba40ca977b2d07b952bdefa2b8f883f42.bundle/index.js	2071244 bytes	0
low	Obfuscation Density	package/integ-tests/integ.ubuntu25.ts.snapshot/asset.efac30c7091c58fed492058fa6403c14f7e58aab8cf4fd595d838b8d5eeec2b9/index.js	high encoded/escaped-token density	0

Manifest

Package metadata

Scripts35

awslintawslint
buildprojen build
bumpprojen bump
bundleprojen bundle
bundle:idle-monitor-enabler/idle-monitor-enabler.lambdaprojen bundle:idle-monitor-enabler/idle-monitor-enabler.lambda
bundle:idle-monitor-enabler/idle-monitor-enabler.lambda:watchprojen bundle:idle-monitor-enabler/idle-monitor-enabler.lambda:watch
bundle:idle-monitor/idle-monitor.lambdaprojen bundle:idle-monitor/idle-monitor.lambda
bundle:idle-monitor/idle-monitor.lambda:watchprojen bundle:idle-monitor/idle-monitor.lambda:watch
bundle:installer/installer.lambdaprojen bundle:installer/installer.lambda
bundle:installer/installer.lambda:watchprojen bundle:installer/installer.lambda:watch
bundle:secret-retriever/secret-retriever.lambdaprojen bundle:secret-retriever/secret-retriever.lambda
bundle:secret-retriever/secret-retriever.lambda:watchprojen bundle:secret-retriever/secret-retriever.lambda:watch
clobberprojen clobber
compatprojen compat
compileprojen compile
defaultprojen default
docgenprojen docgen
ejectprojen eject
eslintprojen eslint
integ-testinteg-runner --directory ./integ-tests --parallel-regions eu-west-1 --parallel-regions eu-west-2 --parallel-regions eu-north-1 --parallel-regions eu-west-3 --update-on-failed
packageprojen package
package-allprojen package-all
package:jsprojen package:js
package:pythonprojen package:python
post-compileprojen post-compile
post-upgradeprojen post-upgrade
pre-compileprojen pre-compile
preparehusky
projenprojen
releaseprojen release
…and 5 more.

Dependencies4

@mavogel/mvc-projen^0.0.25
cdk-nag^2.37.55
constructs^10.4.2
node-html-parser^7.1.0