Package evidence

@nchappell/[email protected]

Credential file access: matched ".ssh"

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@nchappell/[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@nchappell/[email protected]"],"fail_on":"high"}'

Publishernchappell

Artifact bytes12,724,649

Previous versionnone

Published2026-05-24T16:14:43.110Z

SHA-256a5f3611bfd5d1ec0a700e9a3b2ae11eba8f69f0fc3ad0fa7a853a034908dc2cc

Why flagged

What the scanner saw

Credential file access: matched ".ssh"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

high

20d agoLast checked

highRisk

567Score

1.0.3Version

Status history (1 event)

new → available20d ago · risk high · score 567 · status changed

Related candidates

Linked campaigns and clusters

Publisher / release actor burststale

nchappell

3 members · evidence strength 74

Evidence

Static findings

132 static · 0 from release diff · showing high-signal first.

Severity	Kind	Path	Detail	Points
high	Credential file access	package/.next/static/chunks/097hdbi7wy6_e.js	matched ".ssh"	30
high	Credential file access	package/.next/static/chunks/0fclz_~ydu~8p.js	matched ".ssh"	30
medium	Obfuscation Density	package/.next/server/chunks/ssr/[root-of-the-server]__00gkgbn._.js	high encoded/escaped-token density	12
medium	Obfuscation Density	package/.next/static/chunks/0~w2xc7daf2b~.js	high encoded/escaped-token density	12
medium	Obfuscation Density	package/.next/static/chunks/000-d79r_c4wh.js	high encoded/escaped-token density	12
medium	Obfuscation Density	package/.next/static/chunks/03lth2le32c6r.js	high encoded/escaped-token density	12
medium	Obfuscation Density	package/.next/static/chunks/09~n7y-jkmjlj.js	high encoded/escaped-token density	12
medium	Obfuscation Density	package/.next/static/chunks/0pdgrqz97l1cm.js	high encoded/escaped-token density	12
medium	Obfuscation Density	package/.next/static/chunks/0y-6rnwu5rs5r.js	high encoded/escaped-token density	12
medium	Obfuscation Density	package/.next/static/chunks/10~ku18gzaow5.js	high encoded/escaped-token density	12
medium	Obfuscation Density	package/.next/static/chunks/15--lscs_scdy.js	high encoded/escaped-token density	12
medium	Obfuscation Density	package/.next/static/chunks/18b~gubbr4un7.js	high encoded/escaped-token density	12
medium	Obfuscation Density	package/.next/build/chunks/node_modules_07wog73._.js	high encoded/escaped-token density	12
medium	Obfuscation Density	package/.next/server/chunks/ssr/node_modules_mermaid_dist_chunks_mermaid_core_chunk-727SXJPM_mjs_05x94.y._.js	high encoded/escaped-token density	12
medium	Obfuscation Density	package/.next/server/chunks/ssr/node_modules_mermaid_dist_chunks_mermaid_core_flowDiagram-I6XJVG4X_mjs_0136c8y._.js	high encoded/escaped-token density	12

Show all 132 findings (low-signal and informational)

Showing 60 of 132 findings.

Severity	Kind	Path	Detail	Points
high	Credential file access	package/.next/static/chunks/097hdbi7wy6_e.js	matched ".ssh"	30
high	Credential file access	package/.next/static/chunks/0fclz_~ydu~8p.js	matched ".ssh"	30
medium	Obfuscation Density	package/.next/server/chunks/ssr/[root-of-the-server]__00gkgbn._.js	high encoded/escaped-token density	12
medium	Obfuscation Density	package/.next/static/chunks/0~w2xc7daf2b~.js	high encoded/escaped-token density	12
medium	Obfuscation Density	package/.next/static/chunks/000-d79r_c4wh.js	high encoded/escaped-token density	12
medium	Obfuscation Density	package/.next/static/chunks/03lth2le32c6r.js	high encoded/escaped-token density	12
medium	Obfuscation Density	package/.next/static/chunks/09~n7y-jkmjlj.js	high encoded/escaped-token density	12
medium	Obfuscation Density	package/.next/static/chunks/0pdgrqz97l1cm.js	high encoded/escaped-token density	12
medium	Obfuscation Density	package/.next/static/chunks/0y-6rnwu5rs5r.js	high encoded/escaped-token density	12
medium	Obfuscation Density	package/.next/static/chunks/10~ku18gzaow5.js	high encoded/escaped-token density	12
medium	Obfuscation Density	package/.next/static/chunks/15--lscs_scdy.js	high encoded/escaped-token density	12
medium	Obfuscation Density	package/.next/static/chunks/18b~gubbr4un7.js	high encoded/escaped-token density	12
medium	Obfuscation Density	package/.next/build/chunks/node_modules_07wog73._.js	high encoded/escaped-token density	12
medium	Obfuscation Density	package/.next/server/chunks/ssr/node_modules_mermaid_dist_chunks_mermaid_core_chunk-727SXJPM_mjs_05x94.y._.js	high encoded/escaped-token density	12
medium	Obfuscation Density	package/.next/server/chunks/ssr/node_modules_mermaid_dist_chunks_mermaid_core_flowDiagram-I6XJVG4X_mjs_0136c8y._.js	high encoded/escaped-token density	12
low	Obfuscation	package/.next/server/chunks/[root-of-the-server]__0.6bt.6._.js	matched "\\u0009"	3
low	Obfuscation	package/.next/server/chunks/ssr/[root-of-the-server]__00gkgbn._.js	matched "\\u061C"	3
low	Obfuscation	package/.next/server/chunks/ssr/[root-of-the-server]__02qo-zr._.js	matched "fromCharCode"	3
low	Obfuscation	package/.next/server/chunks/ssr/[root-of-the-server]__03g-zub._.js	matched "\\u0009"	3
low	Obfuscation	package/.next/server/chunks/[root-of-the-server]__0pym12l._.js	matched "Buffer.from(e,\"base64"	3
low	Obfuscation	package/.next/server/chunks/ssr/[root-of-the-server]__0qri5b~._.js	matched "fromCharCode"	3
low	Obfuscation	package/.next/static/chunks/0_185q61fpk31.js	matched "\\uFEFF"	3
low	Obfuscation	package/.next/static/chunks/0_e83kla4ze9m.js	matched "fromCharCode"	3
low	Obfuscation	package/.next/server/chunks/ssr/0_lp_modules_mermaid_dist_chunks_mermaid_core_journeyDiagram-JHISSGLW_mjs_0d.k2tv._.js	matched "eVal("	3
low	Obfuscation	package/.next/server/chunks/ssr/0_lp_modules_mermaid_dist_chunks_mermaid_core_quadrantDiagram-W4KKPZXB_mjs_0c30c1e._.js	matched "\\x00"	3
low	Obfuscation	package/.next/server/chunks/ssr/0_lp_modules_mermaid_dist_chunks_mermaid_core_sequenceDiagram-3UESZ5HK_mjs_07fd9jw._.js	matched "eVal("	3
low	Obfuscation	package/.next/static/chunks/0.9_2a1m8vote.js	matched "\\x00"	3
low	Obfuscation	package/.next/static/chunks/0~1q5i4_euusl.js	matched "atob("	3
low	Obfuscation	package/.next/static/chunks/0~6sz615jhe1d.js	matched "\\u2014"	3
low	Obfuscation	package/.next/static/chunks/0~w2xc7daf2b~.js	matched "fromCharCode"	3
low	Obfuscation	package/.next/static/chunks/000-d79r_c4wh.js	matched "\\x7F"	3
low	Obfuscation	package/.next/static/chunks/00mi2800e2m_n.js	matched "\\x00"	3
low	Obfuscation	package/.next/static/chunks/018l4l.jz04wq.js	matched "\\x7F"	3
low	Obfuscation	package/.next/static/chunks/02va.rhp8domv.js	matched "\\x1b"	3
low	Obfuscation	package/.next/static/chunks/03~yq9q893hmn.js	matched "\\u2028"	3
low	Obfuscation	package/.next/static/chunks/038jxymv2x4u-.js	matched "eVal("	3
low	Obfuscation	package/.next/static/chunks/03c_~h73pu71k.js	matched "\\x00"	3
low	Obfuscation	package/.next/static/chunks/03lth2le32c6r.js	matched "\\u00AA"	3
low	Obfuscation	package/.next/static/chunks/03v0v690_bw8u.js	matched "\\xab"	3
low	Obfuscation	package/.next/static/chunks/04abnmsp1yx~g.js	matched "\\x00"	3
low	Obfuscation	package/.next/static/chunks/06o.rsm2b~dht.js	matched "\\x00"	3
low	Obfuscation	package/.next/static/chunks/08ds8cbwdizr3.js	matched "\\x7F"	3
low	Obfuscation	package/.next/static/chunks/08nzg~fbi7p-7.js	matched "\\x01"	3
low	Obfuscation	package/.next/static/chunks/08o5wsrurx9ux.js	matched "eVal("	3
low	Obfuscation	package/.next/static/chunks/08vpfcagpz0zi.js	matched "\\uFEFF"	3
low	Obfuscation	package/.next/static/chunks/08xqii.4ss2_0.js	matched "\\uFEFF"	3
low	Obfuscation	package/.next/static/chunks/09~n7y-jkmjlj.js	matched "\\u00AA"	3
low	Obfuscation	package/.next/static/chunks/094b.pb5hqhph.js	matched "\\x00"	3
low	Obfuscation	package/.next/static/chunks/0a9bm316rg~5r.js	matched "\\x7F"	3
low	Obfuscation	package/.next/static/chunks/0bgys~30c4d.q.js	matched "\\uFEFF"	3
low	Obfuscation	package/.next/static/chunks/0byrkd98js4j_.js	matched "\\uFEFF"	3
low	Obfuscation	package/.next/static/chunks/0c61xf2c7dq3j.js	matched "\\x08"	3
low	Obfuscation	package/.next/static/chunks/0cg.oz_50ovb9.js	matched "\\x00"	3
low	Obfuscation	package/.next/static/chunks/0dd9h-s8eusxi.js	matched "\\uFEFF"	3
low	Obfuscation	package/.next/static/chunks/0dgif2-stbh91.js	matched "fromCharCode"	3
low	Obfuscation	package/.next/static/chunks/0dlpdo-cw3ha..js	matched "\\x00"	3
low	Obfuscation	package/.next/static/chunks/0dnh~12u-e1_u.js	matched "\\uFEFF"	3
low	Obfuscation	package/.next/static/chunks/0dw2avvsldob9.js	matched "\\u00B7"	3
low	Obfuscation	package/.next/static/chunks/0dz1~p6rchqx8.js	matched "\\uFEFF"	3
low	Obfuscation	package/.next/static/chunks/0gaib3l_evej..js	matched "\\x7F"	3

Manifest

Package metadata

Scripts14

app-server:recovernode ./bin/codex-web-ui.js app-server recover
app-server:restartnode ./bin/codex-web-ui.js app-server restart
app-server:startnode ./bin/codex-web-ui.js app-server start
app-server:statusnode ./bin/codex-web-ui.js app-server status
app-server:stopnode ./bin/codex-web-ui.js app-server stop
buildnext build
checktsc --noEmit
devnext dev --hostname ${HOST:-127.0.0.1} --port ${PORT:-4545}
prepacknpm run build
startnode ./bin/codex-web-ui.js
test:dockernode scripts/docker-smoke.mjs
test:e2eplaywright test
test:e2e:uiplaywright test --ui
test:securitynode --import tsx --test tests/security/*.test.ts

Dependencies29

@ai-sdk/react^3.0.190
@lexical/react^0.44.0
@radix-ui/react-use-controllable-state^1.2.2
@streamdown/cjk^1.0.3
@streamdown/code^1.1.1
@streamdown/math^1.0.2
@streamdown/mermaid^1.0.2
@tailwindcss/postcss^4.3.0
ai^6.0.188
ansi-to-react^6.2.6
class-variance-authority^0.7.1
clsx^2.1.1
cmdk^1.1.1
lexical^0.44.0
lucide-react^0.561.0
motion^12.39.0
nanoid^5.1.11
next^16.2.6
radix-ui^1.4.3
react^19.2.1
react-dom^19.2.1
react-markdown^10.1.0
remark-gfm^4.0.1
shiki^4.1.0
streamdown^2.5.0
tailwind-merge^3.6.0
tailwindcss^4.3.0
tw-animate-css^1.4.0
use-stick-to-bottom^1.1.4