PkgRadar

Package evidence

@posthog/[email protected]

Credential file access: matched "AWS_ACCESS_KEY"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published
204Mature · −50% score
First published
Jan 2021
Publisher
yakkomajuri
External confirmation
MAL-2025-190947OSV match · pinned to high regardless of other signals

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@posthog/[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@posthog/[email protected]"],"fail_on":"high"}'
Publisheryakkomajuri
Artifact bytes354,532
Previous version1.10.6
Published2021-11-30T21:06:48.232Z
SHA-2567b08b7352bdf6aadaa16b86108d5368b52a28f2852eb08d4da796184e3a37da9

Why flagged

What the scanner saw

Credential file access: matched "AWS_ACCESS_KEY"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

high
Last checked
highRisk
3Score
1.10.7Version
Status history (1 event)
  1. newavailable · risk high · score 3 · status changed

Evidence

Static findings

2 static · 0 from release diff · showing high-signal first.

No high-signal findings — see all findings below.

Show all 2 findings (low-signal and informational)
SeverityKindPathDetailPoints
lowCredential file accesspackage/dist/main/job-queues/redlocked/s3-queue.jsmatched "AWS_ACCESS_KEY"5
lowCredential file accesspackage/src/main/job-queues/redlocked/s3-queue.tsmatched "AWS_ACCESS_KEY"5

Manifest

Package metadata

Scripts34
  • benchmarkyarn run benchmarks:clickhouse && yarn run benchmark:postgres && yarn run benchmarks:vm
  • benchmark:clickhousenode --expose-gc node_modules/.bin/jest --runInBand benchmarks/clickhouse/
  • benchmark:postgresnode --expose-gc node_modules/.bin/jest --runInBand benchmarks/postgres/
  • benchmark:vm:memorynode --expose-gc node_modules/.bin/jest --runInBand benchmarks/vm/memory.benchmark.ts
  • benchmark:vm:workernode --expose-gc node_modules/.bin/jest --runInBand benchmarks/vm/worker.benchmark.ts
  • buildyarn clean && yarn compile
  • cleanrimraf dist/*
  • compileyarn protobuf:compile && yarn typescript:compile
  • linteslint .
  • lint:fixeslint --fix .
  • prepareyarn protobuf:compile
  • prepublishOnlyyarn build
  • prettierprettier --write .
  • prettier:checkprettier --check .
  • protobuf:compilecd src/config/idl/ && rimraf protos.* && pbjs -t static-module -w commonjs -o protos.js *.proto && pbts -o protos.d.ts protos.js && eslint --fix . && prettier --write .
  • servicesyarn services:stop && yarn services:clean && yarn services:start
  • services:cleancd .. && docker-compose -f ee/docker-compose.ch.yml rm -v zookeeper kafka clickhouse
  • services:startcd .. && docker-compose -f ee/docker-compose.ch.yml up zookeeper kafka clickhouse
  • services:stopcd .. && docker-compose -f ee/docker-compose.ch.yml down
  • setup:dev:clickhousecd .. && export DEBUG=1 PRIMARY_DB=clickhouse && python manage.py migrate_clickhouse
  • setup:test:clickhousecd .. && unset KAFKA_URL && export TEST=1 PRIMARY_DB=clickhouse CLICKHOUSE_DATABASE=posthog_test && python manage.py migrate_clickhouse
  • setup:test:eeyarn setup:test:postgres && yarn setup:test:clickhouse
  • setup:test:postgrescd .. && (dropdb test_posthog || echo 'no db to drop') && createdb test_posthog && DATABASE_URL=postgres://localhost:5432/test_posthog DEBUG=1 python manage.py migrate
  • startyarn start:dist
  • start:devNODE_ENV=dev BASE_DIR=.. ts-node-dev --debug --exit-child src/index.ts
  • start:dev:eeKAFKA_ENABLED=true KAFKA_HOSTS=localhost:9092 yarn start:dev
  • start:distBASE_DIR=.. node dist/index.js
  • testjest --runInBand --forceExit tests/**/*.test.ts
  • test:clickhouse:1jest --runInBand --forceExit tests/clickhouse/postgres-parity.test.ts tests/clickhouse/e2e.test.ts tests/clickhouse/ingestion-utils.test.ts
  • test:clickhouse:2jest --runInBand --forceExit tests/clickhouse/process-event.test.ts
  • …and 4 more.
Dependencies40
  • @babel/core^7.13.1
  • @babel/preset-env^7.13.5
  • @babel/preset-typescript^7.13.0
  • @babel/standalone^7.13.7
  • @google-cloud/bigquery^5.6.0
  • @google-cloud/pubsub^2.16.0
  • @google-cloud/storage^5.8.5
  • @maxmind/geoip2-node^3.0.0
  • @posthog/clickhouse^1.7.0
  • @posthog/piscina^3.2.0-posthog
  • @posthog/plugin-contrib^0.0.5
  • @posthog/plugin-scaffold0.12.9
  • @sentry/node^6.7.0
  • @sentry/tracing^6.7.0
  • @types/lru-cache^5.1.0
  • adm-zip0.5.3
  • aws-sdk^2.927.0
  • escape-string-regexp^4.0.0
  • faker^5.5.3
  • fast-deep-equal^3.1.3
  • generic-pool^3.7.1
  • graphile-worker^0.11.1
  • hot-shots^8.3.2
  • ioredis^4.27.6
  • jsonwebtoken^8.5.1
  • kafkajs^1.15.0
  • lru-cache^6.0.0
  • luxon^1.27.0
  • node-fetch^2.6.1
  • node-schedule^2.0.0
  • …and 10 more.