Package evidence

@powerhousedao/[email protected]

Credential File Packaged: package/.env

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published: 893Mature · −50% score
First published: Sep 2024
Publisher: memo.dev

Effective trust discount applied: −50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@powerhousedao/[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@powerhousedao/[email protected]"],"fail_on":"high"}'

Publishermemo.dev

Artifact bytes316,562

Previous version6.2.0-dev.10

Published2026-06-12T03:16:41.483Z

SHA-25610b78972423f992aef2c995f019bdd3d3abdbc8c044d38a43b04ab8283536840

Why flagged

What the scanner saw

Credential File Packaged: package/.env

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

high

2h agoLast checked

highRisk

17Score

6.2.0-dev.11Version

Status history (1 event)

new → available2h ago · risk high · score 17 · status changed

Evidence

Static findings

1 static · 0 from release diff · showing high-signal first.

Severity	Kind	Path	Detail	Points
high	Credential File Packaged	package/.env	package/.env	35

Manifest

Package metadata

Scripts12

buildpnpm run build:bundle && pnpm run build:css
build:bundletsdown
build:csspnpm exec tailwindcss -i style.css -o dist/style.css
build:debugPH_DEBUG_BUILD=true vite build
cy:opencypress open
devvite dev
docker:builddocker build -f ./Dockerfile --tag connect-test-dev --build-arg TAG=dev .
docker:rundocker run -it -p 4000:4000 -v $(realpath ../../../monorepo):/monorepo -v $(pwd)/nginx.conf:/etc/nginx/nginx.conf.template -e PH_CONNECT_BASE_PATH=/develop/powerhouse/connect -e PORT=4000 connect-test-dev
linteslint
previewvite preview
testvitest --run
tsctsc

Dependencies29

@electric-sql/pglite0.3.15
@electric-sql/pglite-tools0.2.20
@openfeature/core1.9.1
@openfeature/web-sdk1.6.2
@openpanel/web^1.4.1
@powerhousedao/config6.2.0-dev.11
@powerhousedao/design-system6.2.0-dev.11
@powerhousedao/document-engineering1.40.5
@powerhousedao/powerhouse-vetra-packages6.2.0-dev.11
@powerhousedao/reactor-attachments6.2.0-dev.11
@powerhousedao/reactor-browser6.2.0-dev.11
@powerhousedao/shared6.2.0-dev.11
@powerhousedao/vetra6.2.0-dev.11
@renown/sdk6.2.0-dev.11
@sentry/react^10.17.0
document-model6.2.0-dev.11
i18next^25.5.3
kysely0.28.16
kysely-pglite-dialect1.2.0
lucide-react^1.16.0
pglite-legacy-02npm:@electric-sql/[email protected]
pglite-tools-legacy-02npm:@electric-sql/[email protected]
react-error-boundary^4.0.11
react-hotkeys-hook^4.6.2
react-i18next^16.0.0
react-router-dom^6.11.2
tailwind-merge3.4.0
usehooks-ts^3.1.1
zod4.3.6