PkgRadar

Package evidence

@owox/[email protected]

Credential file access: matched ".AWS"

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@owox/[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@owox/[email protected]"],"fail_on":"high"}'
Publishermax-voloshyn
Artifact bytes132,760
Previous version0.26.0-next-20260522131154
Published2026-05-22T13:16:13.859Z
SHA-2561a3b3792d15b3f1be6722ed368e1f54642ede7c998ec3ad545e72b9b98161121

Why flagged

What the scanner saw

Credential file access: matched ".AWS"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

high
Last checked
highRisk
30Score
0.26.0-next-20260522131549Version
Status history (1 event)
  1. newavailable · risk high · score 30 · status changed

Related candidates

Linked campaigns and clusters

Publisher / release actor burststale

max-voloshyn

6 members · evidence strength 75

Evidence

Static findings

1 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
highCredential file accesspackage/dist/core/onboarding-constants.jsmatched ".AWS"30

Manifest

Package metadata

Scripts12
  • buildtsc && node ./scripts/copy-public.cjs
  • build:depnpm run build:internal-helpers && npm run build:idp-protocol
  • build:idp-protocolnpm run build -w @owox/idp-protocol --prefix ../..
  • build:internal-helpersnpm run build -w @owox/internal-helpers --prefix ../..
  • cleanshx rm -rf dist
  • formatprettier --write "**/*.{ts,js,json,md}" --ignore-path ../../.prettierignore
  • format:checkprettier --check "**/*.{ts,js,json,md}" --ignore-path ../../.prettierignore
  • linteslint . --config ./eslint.config.js
  • lint:fixeslint . --fix --config ./eslint.config.js
  • prepublishOnlynpm run lint && npm run typecheck
  • testNODE_OPTIONS=--experimental-vm-modules jest
  • typechecktsc --noEmit
Dependencies13
  • @owox/idp-protocol0.26.0-next-20260522131549
  • @owox/internal-helpers0.26.0-next-20260522131549
  • axios^1.11.0
  • better-auth1.5.3
  • better-sqlite3^12.2.0
  • cookie-parser^1.4.7
  • ejs^3.1.10
  • env-paths^3.0.0
  • jose^6.0.12
  • mailchecker^6.0.19
  • ms^2.1.3
  • mysql2^3.14.3
  • pkce-challenge^5.0.0