Package evidence

@mobilabs/[email protected]

Credential file access: matched ".npmrc"

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@mobilabs/[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@mobilabs/[email protected]"],"fail_on":"high"}'

Publisherjclo

Artifact bytes27,007

Previous version3.0.0-beta.1.1

Published2026-05-23T15:12:29.693Z

SHA-25698b1cb9c1c31f71522394fcbb27ecf3119049af3ea150d5a70d2d7b061777f1e

Why flagged

What the scanner saw

Credential file access: matched ".npmrc"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

high

20d agoLast checked

highRisk

52Score

3.0.0-beta.1.2Version

Status history (1 event)

new → available20d ago · risk high · score 52 · status changed

Related candidates

Linked campaigns and clusters

Publisher / release actor burststale

jclo

2 members · evidence strength 54

Evidence

Static findings

8 static · 0 from release diff · showing high-signal first.

Severity	Kind	Path	Detail	Points
high	Credential file access	package/bin/es6pakket.js	matched ".npmrc"	30

Show all 8 findings (low-signal and informational)

Severity	Kind	Path	Detail	Points
high	Credential file access	package/bin/es6pakket.js	matched ".npmrc"	30
low	Install-time lifecycle script	package.json	prepare="husky"	4
low	Obfuscation	package/scripts/_build.template.js	matched "\\x1b"	3
low	Obfuscation	package/scripts/build.js.dev.js	matched "\\x1b"	3
low	Obfuscation	package/scripts/build.js.prod.js	matched "\\x1b"	3
low	Obfuscation	package/scripts/build.skeleton.prod.js	matched "\\x1b"	3
low	Obfuscation	package/scripts/dep.private.js	matched "\\x1b"	3
low	Obfuscation	package/scripts/make:package:publish:json.js	matched "\\x1b"	3

Manifest

Package metadata

Scripts38

build:css --- BUILDING CSS ---
build:devnpm run build:js:dev
build:development --- BUILDING (DEVELOPMENT) ---
build:generic --- BUILDING (GENERIC) ---
build:js --- BUILDING JAVASCRIPT ---
build:js:devnode scripts/build.js.dev.js $1
build:js:prodnode scripts/build.js.prod.js $1
build:prodnpm run build:js:prod && npm run npm:make:package:json
build:production --- BUILDING (PRODUCTION) ---
build:skeleton:prodnode scripts/build.skeleton.prod.js $1
check:coveragec8 check-coverage --statements 100 --branches 100 --functions 100 --lines 100
dep:npm:private:packagenpm run build:prod && npm pack && sh scripts/dep.npm.private.sh ${npm_package_name} ${npm_package_version} @mobilabs
dep:private:packagenpm run build:prod && node scripts/dep.private.js && sh scripts/compress.sh ${npm_package_name} ${npm_package_version} @mobilabs
dep:prodrm -rf _dist-$npm_package_version && npm run build:prod && cp -r _dist _dist-$npm_package_version
deployment --- DEPLOYING ---
display:coverageopen -a safari ./coverage/lcov-report/index.html
doc:site:buildkasar build
doc:site:initkasar init --theme <theme-name>
doc:site:startkasar serve --port $1
doc:site:watchkasar watch
doc:site:web --- DOCUMENTING ---
general --- GENERAL ---
npm:make:package:json
npm:publishing --- PUBLISHING ---
others --- OTHERS ---
postpack
prebuild:prodnpm run build:dev && npm run build:skeleton:prod
prepack
preparehusky
reportc8 report
…and 8 more.

Dependencies2

nopt^9.0.0
shelljs^0.10.0