Package evidence

@mitre/[email protected]

Credential file access: matched ".aws/"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published: 83Mature · −50% score
First published: Aug 2021
Publisher: asmlang

Effective trust discount applied: −50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@mitre/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@mitre/[email protected]"],"fail_on":"review"}'

Publisherasmlang

Artifact bytes725,744

Previous version2.12.0

Published2025-09-04T05:55:29.678Z

SHA-2562258b3b2da25e2c683106b635d0543001d9aac99515e019434cc02f07a8c6d72

Why flagged

What the scanner saw

Credential file access: matched ".aws/"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review

15h agoLast checked

reviewRisk

5Score

2.12.1Version

Status history (1 event)

new → available15h ago · risk review · score 5 · status changed

Evidence

Static findings

3 static · 0 from release diff · showing high-signal first.

No high-signal findings — see all findings below.

Show all 3 findings (low-signal and informational)

Severity	Kind	Path	Detail	Points
low	Credential file access	package/lib/src/asff-mapper/case-cms-inspec.js	matched ".aws/"	5
low	Credential file access	package/lib/src/asff-mapper/case-firewall-manager.js	matched ".aws/"	5
low	Large Javascript Payload	package/lib/src/utils/CCI_List.js	3166344 bytes	0

Manifest

Package metadata

Scripts12

buildrun-script-os
build:darwin:linux../../node_modules/.bin/tsc -p ./tsconfig.build.json && cp -R ./data ./lib
build:win32../../node_modules/.bin/tsc -p ./tsconfig.build.json && xcopy data lib
csv2jsontsx data/converters/csv2json.ts
linteslint "**/*.ts" --fix
lint:cieslint "**/*.ts" --max-warnings 0
postpackrun-script-os
postpack:darwin:linuxmv package.json.orig package.json
postpack:win32move package.json.orig package.json
prepackyarn build && node prepack.js
testjest
xml2jsontsx data/converters/xml2json.ts

Dependencies36

@aws-sdk/client-config-service^3.95.0
@e965/xlsx^0.20.0
@mdi/js^7.0.96
@microsoft/microsoft-graph-types^2.40.0
@mitre/jsonix^3.0.7
@smithy/node-http-handler^4.0.0
@types/csv2json^1.4.2
@types/ms^0.7.31
@types/mustache^4.1.2
@types/papaparse^5.3.2
@types/revalidator^0.3.12
@types/semver^7.7.0
@types/triple-beam^1.3.2
@types/validator^13.12.0
@types/xml2js^0.4.9
axios^1.3.5
compare-versions^6.0.0
csv2json^2.0.2
fast-xml-parser5.2.5
html-entities^2.3.2
htmlparser2^10.0.0
inspecjs^2.12.0
lodash^4.17.21
moment^2.29.1
ms^2.1.3
mustache^4.2.0
papaparse^5.3.1
revalidator^0.3.1
run-script-os^1.1.6
semver^7.6.0
…and 6 more.