Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Versions published
- 73Established · −30% score
- First published
- Oct 2025
- Publisher
- GitHub ActionsTrusted automation · −70% score
Effective trust discount applied: −70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["@nebius/[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["@nebius/[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Credential file access: matched "aws_access_key"
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 6 · status changed
Evidence
Static findings
4 static · 0 from release diff · showing high-signal first.
No high-signal findings — see all findings below.
Show all 4 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| low | Credential file access | package/dist/cjs/api/nebius/iam/v1/index.js | matched "aws_access_key" | 5 |
| low | Credential file access | package/dist/cjs/api/nebius/iam/v2/index.js | matched "aws_access_key" | 5 |
| low | Credential file access | package/dist/esm/api/nebius/iam/v1/index.js | matched "aws_access_key" | 5 |
| low | Credential file access | package/dist/esm/api/nebius/iam/v2/index.js | matched "aws_access_key" | 5 |
Manifest
Package metadata
Scripts24
bootstrap:generatornode scripts/bootstrap-generator.jsbuildrimraf dist && npm run generate && npm run build:cjs && npm run build:esm && node scripts/build-esm-facades.js && node scripts/postbuild-mark-module-type.jsbuild:cjstsc -p tsconfig.cjs.jsonbuild:esmtsc -p tsconfig.esm.jsonbuild:scriptstsc -p tsconfig.scripts.json && chmod +x dist-scripts/scripts/protoc-gen-nebius-ts-sdk.js dist-scripts/scripts/protoc-gen-nebius-ts.jscleannpm run clean:generated && rimraf dist dist-scripts src/generated_test generated_test.lockclean:generatedrimraf src/version.ts src/apidocsnpm run docs:extract-services && typedocdocs:extract-servicests-node scripts/extract-services.tsformatprettier --write .format:checkprettier --check .generatenpm run build:scripts && npm run clean:generated && buf generate nebius-api && npm run generate:versiongenerate:fullnpm run generate && npm run bootstrap:generatorgenerate:versionnode dist-scripts/scripts/version-gen.jsindexgennode -r ts-node/register scripts/gen-indexes.tslinteslint src/**/*.ts --no-warn-ignoredlint:fixeslint src/**/*.ts --fix --no-warn-ignored && npm run formatpreparehuskyprepublishOnlynpm run buildtestjesttest:buildsjest --testPathPatterns='build_'test:e2ejest --testPathPatterns='e2e_'test:noserverjest --testPathIgnorePatterns='e2e_|build_'test:watchjest --watch
Dependencies8
@bufbuild/protobuf^2.0.0@grpc/grpc-js^1.13.4@grpc/proto-loader^0.8.0dayjs^1.11.18fs-ext^2.1.1google-protobuf^4.0.0long^5.3.2yaml^2.9.0