Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Versions published
- 1
- First published
- Jun 2026
- Publisher
- maxacad
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["@maxacad/[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["@maxacad/[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Credential file access: matched ".npmrc"
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 25 · status changed
Evidence
Static findings
5 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Credential file access | package/bin/index.js | matched ".npmrc" | 10 |
| medium | Suspicious Publish Context | manifest | {"package_age_days":0,"publisher":"maxacad","burst_same_day":0,"burst_week":0,"lure":{"kind":"edit_distance","target":"ini"},"version_anomaly":false,"new_account":false} | 10 |
Show all 5 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Credential file access | package/bin/index.js | matched ".npmrc" | 10 |
| medium | Suspicious Publish Context | manifest | {"package_age_days":0,"publisher":"maxacad","burst_same_day":0,"burst_week":0,"lure":{"kind":"edit_distance","target":"ini"},"version_anomaly":false,"new_account":false} | 10 |
| low | Credential file access | package/dist/cli.js | matched ".npmrc" | 5 |
| low | Obfuscation Density | package/pnpm-lock.yaml | high encoded/escaped-token density | 0 |
| low | Obfuscation Density | package/dist/cli.js | high encoded/escaped-token density | 0 |
Manifest
Package metadata
Scripts18
androidreact-native run-androidbundle:allnpm run bundle:android && npm run bundle:iosbundle:androidPLATFORM=android react-native bundle --platform android --dev false --entry-file index.js --bundle-output build/generated/android/index.android.bundle --assets-dest build/generated/android/assets && ./scripts/cleanup-outputs.shbundle:iosPLATFORM=ios react-native bundle --platform ios --dev false --entry-file index.js --bundle-output build/generated/ios/main.jsbundle --assets-dest build/generated/ios/assets && ./scripts/cleanup-outputs.shbundle:ios2PLATFORM=ios react-native bundle --platform ios --dev false --entry-file index.js --bundle-output build/generated/ios/main.jsbundle --assets-dest build/generated/ios/assets && ./scripts/cleanup-outputs.shdeploynpm run bundle:all && npm run upload:azureformatprettier --write "src/**/*.{ts,tsx,js,jsx,json}"format:checkprettier --check "src/**/*.{ts,tsx,js,jsx,json}"iosreact-native run-ioslinteslint .localreact-native start --reset-cache --port 8088local2PLATFORM=ios react-native start --platform ios --dev false --reset-cache --port 8088startreact-native start --platform ios --reset-cachestart:minified:androidMINIFY=true PLATFORM=android react-native start --platform android --reset-cache --port 8088start:minified:iosMINIFY=true PLATFORM=ios react-native start --platform ios --reset-cache --port 8088start:prodreact-native start --platform ios --reset-cache --port 8088testjestupload:azureENVFILE=.env ./scripts/upload-to-azure.sh
Dependencies33
@gorhom/bottom-sheet^5.2.14@maxacad/core-utils^1.0.17@maxacad/remote-log-manager^1.0.5@maxacad/ui-kit^1.0.36@react-native-async-storage/async-storage2.0.0@react-native-community/datetimepicker^8.5.0@react-native-community/netinfo11.4.1@react-native-picker/picker2.11.1@react-navigation/native^7.1.19@react-navigation/native-stack^7.6.2@reduxjs/toolkit^2.4.0axios^1.9.0base64-js^1.5.1cross-env^10.0.0i18next^25.3.1moment^2.30.1moment-timezone^0.5.48react19.1.0react-i18next^15.6.0react-native0.81.4react-native-fs^2.20.0react-native-gesture-handler~2.28.0react-native-image-picker^8.2.1react-native-netinfo^1.1.0react-native-reanimated~4.1.1react-native-svg^15.12.1react-native-vector-icons^10.3.0react-native-webview^13.16.1react-native-worklets0.5.1react-redux^9.1.2- …and 3 more.