Recommended action
Block this updateStatic evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["@nchappell/[email protected]"],"fail_on":"high"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["@nchappell/[email protected]"],"fail_on":"high"}'Why flagged
What the scanner saw
Credential file access: matched ".ssh"
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk high · score 225 · status changed
Related candidates
Linked campaigns and clusters
nchappell
3 members · evidence strength 74Evidence
Static findings
48 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | Credential file access | package/.next/static/chunks/097hdbi7wy6_e.js | matched ".ssh" | 30 |
| medium | Obfuscation Density | package/.next/server/chunks/ssr/[root-of-the-server]__0h7ed3q._.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/.next/static/chunks/000-d79r_c4wh.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/.next/static/chunks/0g7lwnm9wxo3~.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/.next/static/chunks/0pdgrqz97l1cm.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/.next/static/chunks/0y-6rnwu5rs5r.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/.next/build/chunks/node_modules_07wog73._.js | high encoded/escaped-token density | 12 |
Show all 48 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | Credential file access | package/.next/static/chunks/097hdbi7wy6_e.js | matched ".ssh" | 30 |
| medium | Obfuscation Density | package/.next/server/chunks/ssr/[root-of-the-server]__0h7ed3q._.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/.next/static/chunks/000-d79r_c4wh.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/.next/static/chunks/0g7lwnm9wxo3~.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/.next/static/chunks/0pdgrqz97l1cm.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/.next/static/chunks/0y-6rnwu5rs5r.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/.next/build/chunks/node_modules_07wog73._.js | high encoded/escaped-token density | 12 |
| low | Obfuscation | package/.next/server/chunks/[root-of-the-server]__0.6bt.6._.js | matched "\\u0009" | 3 |
| low | Obfuscation | package/.next/server/chunks/ssr/[root-of-the-server]__02qo-zr._.js | matched "fromCharCode" | 3 |
| low | Obfuscation | package/.next/server/chunks/ssr/[root-of-the-server]__03g-zub._.js | matched "\\u0009" | 3 |
| low | Obfuscation | package/.next/server/chunks/ssr/[root-of-the-server]__0h7ed3q._.js | matched "fromCharCode" | 3 |
| low | Obfuscation | package/.next/server/chunks/[root-of-the-server]__0pym12l._.js | matched "Buffer.from(e,\"base64" | 3 |
| low | Obfuscation | package/.next/static/chunks/0_185q61fpk31.js | matched "\\uFEFF" | 3 |
| low | Obfuscation | package/.next/static/chunks/0_e83kla4ze9m.js | matched "fromCharCode" | 3 |
| low | Obfuscation | package/.next/static/chunks/0~1q5i4_euusl.js | matched "atob(" | 3 |
| low | Obfuscation | package/.next/static/chunks/000-d79r_c4wh.js | matched "\\x7F" | 3 |
| low | Obfuscation | package/.next/static/chunks/03~yq9q893hmn.js | matched "\\u2028" | 3 |
| low | Obfuscation | package/.next/static/chunks/08ds8cbwdizr3.js | matched "\\x7F" | 3 |
| low | Obfuscation | package/.next/static/chunks/08xqii.4ss2_0.js | matched "\\uFEFF" | 3 |
| low | Obfuscation | package/.next/static/chunks/0a9bm316rg~5r.js | matched "\\x7F" | 3 |
| low | Obfuscation | package/.next/static/chunks/0bgys~30c4d.q.js | matched "\\uFEFF" | 3 |
| low | Obfuscation | package/.next/static/chunks/0byrkd98js4j_.js | matched "\\uFEFF" | 3 |
| low | Obfuscation | package/.next/static/chunks/0dbltxhd1a1rt.js | matched "fromCharCode" | 3 |
| low | Obfuscation | package/.next/static/chunks/0g7lwnm9wxo3~.js | matched "fromCharCode" | 3 |
| low | Obfuscation | package/.next/static/chunks/0gaib3l_evej..js | matched "\\x7F" | 3 |
| low | Obfuscation | package/.next/static/chunks/0gk67r9vyq28h.js | matched "\\uFEFF" | 3 |
| low | Obfuscation | package/.next/static/chunks/0hfw~zchjv985.js | matched "\\u00C0" | 3 |
| low | Obfuscation | package/.next/static/chunks/0i5zz-01~ftzf.js | matched "\\x08" | 3 |
| low | Obfuscation | package/.next/static/chunks/0n.ub8l~47s0b.js | matched "\\uFEFF" | 3 |
| low | Obfuscation | package/.next/static/chunks/0n3q5e.9tnkzj.js | matched "\\uFEFF" | 3 |
| low | Obfuscation | package/.next/static/chunks/0nabgzg~ed.ac.js | matched "\\x00" | 3 |
| low | Obfuscation | package/.next/static/chunks/0o.f.5zfyw9fw.js | matched "\\x00" | 3 |
| low | Obfuscation | package/.next/static/chunks/0pdgrqz97l1cm.js | matched "\\x01" | 3 |
| low | Obfuscation | package/.next/static/chunks/0q3d589ojdtul.js | matched "\\x00" | 3 |
| low | Obfuscation | package/.next/static/chunks/0s5g1pqsd3_9t.js | matched "\\x00" | 3 |
| low | Obfuscation | package/.next/static/chunks/0to.ibol8tqw3.js | matched "\\x00" | 3 |
| low | Obfuscation | package/.next/static/chunks/0v88d8k3y2dcp.js | matched "\\uFEFF" | 3 |
| low | Obfuscation | package/.next/static/chunks/0vmsemm_hodoe.js | matched "\\x08" | 3 |
| low | Obfuscation | package/.next/static/chunks/0y-6rnwu5rs5r.js | matched "\\x7F" | 3 |
| low | Obfuscation | package/.next/static/chunks/0y~l4~.2eg4yu.js | matched "\\x00" | 3 |
| low | Obfuscation | package/.next/static/chunks/0z0q05gwd87j4.js | matched "\\x00" | 3 |
| low | Obfuscation | package/.next/static/chunks/10q3w2jzmxzax.js | matched "\\x00" | 3 |
| low | Obfuscation | package/.next/static/chunks/13.dp-ouanczl.js | matched "\\uFEFF" | 3 |
| low | Obfuscation | package/.next/static/chunks/17_oihk3c1vqm.js | matched "\\x08" | 3 |
| low | Obfuscation | package/.next/build/chunks/node_modules_07wog73._.js | matched "\\x1b" | 3 |
| low | Obfuscation | package/.next/server/chunks/ssr/node_modules_0wd20xn._.js | matched "fromCharCode" | 3 |
| low | Obfuscation | package/.next/server/chunks/node_modules_next_0a~3vdv._.js | matched "Buffer.from(\"PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHZpZXdCb3g9IjAgMCA2NCA2NCI+CiAgPHJlY3Qgd2lkdGg9IjY0IiBoZWlnaHQ9IjY0IiByeD0iMTQiIGZpbGw9IiMxMTE4MjAiLz4KICA8cGF0aCBkPSJNMTQgMjFsMTMgMTEtMTMgMTEiIGZpbGw9Im5vbmUiIHN0cm9rZT0iI2Y1ZjdmOCIgc3Ryb2tlLXdpZHRoPSI2IiBzdHJva2UtbGluZWNhcD0icm91bmQiIHN0cm9rZS1saW5lam9pbj0icm91bmQiLz4KICA8cGF0aCBkPSJNMjYgNDNoMTIiIGZpbGw9Im5vbmUiIHN0cm9rZT0iIzVmZDNiMyIgc3Ryb2tlLXdpZHRoPSI2IiBzdHJva2UtbGluZWNhcD0icm91bmQiLz4KICA8cGF0aCBkPSJNNTAgMjFMMzcgMzJsMTMgMTEiIGZpbGw9Im5vbmUiIHN0cm9rZT0iI2Y1ZjdmOCIgc3Ryb2tlLXdpZHRoPSI2IiBzdHJva2UtbGluZWNhcD0icm91bmQiIHN0cm9rZS1saW5lam9pbj0icm91bmQiLz4KPC9zdmc+Cg==\",\"base64" | 3 |
| low | Obfuscation | package/server/auth.ts | matched "Buffer.from(value, \"base64" | 3 |
Manifest
Package metadata
Scripts15
app-server:recovernode ./bin/codex-web-ui.js app-server recoverapp-server:restartnode ./bin/codex-web-ui.js app-server restartapp-server:startnode ./bin/codex-web-ui.js app-server startapp-server:statusnode ./bin/codex-web-ui.js app-server statusapp-server:stopnode ./bin/codex-web-ui.js app-server stopbuildnext buildchecktsc --noEmitdevnext dev --hostname ${HOST:-127.0.0.1} --port ${PORT:-4545}prepacknpm run buildstartnode ./bin/codex-web-ui.jstest:deploymentnode scripts/deployment-smoke.mjstest:dockernode scripts/docker-smoke.mjstest:e2eplaywright testtest:e2e:uiplaywright test --uitest:securitynode --import tsx --test tests/security/*.test.ts
Dependencies29
@ai-sdk/react^3.0.190@lexical/react^0.44.0@radix-ui/react-use-controllable-state^1.2.2@streamdown/cjk^1.0.3@streamdown/code^1.1.1@streamdown/math^1.0.2@streamdown/mermaid^1.0.2@tailwindcss/postcss^4.3.0ai^6.0.188ansi-to-react^6.2.6class-variance-authority^0.7.1clsx^2.1.1cmdk^1.1.1lexical^0.44.0lucide-react^0.561.0motion^12.39.0nanoid^5.1.11next^16.2.6radix-ui^1.4.3react^19.2.1react-dom^19.2.1react-markdown^10.1.0remark-gfm^4.0.1shiki^4.1.0streamdown^2.5.0tailwind-merge^3.6.0tailwindcss^4.3.0tw-animate-css^1.4.0use-stick-to-bottom^1.1.4