Recommended action
Block this updateStatic evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["@specverse/[email protected]"],"fail_on":"high"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["@specverse/[email protected]"],"fail_on":"high"}'Why flagged
What the scanner saw
Credential file access: matched ".AWS"
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk high · score 90 · status changed
Related candidates
Linked campaigns and clusters
cainen
6 members · evidence strength 79Evidence
Static findings
12 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | Credential file access | package/libs/instance-factories/tools/templates/mcp/static/src/services/CLIProxyService.ts | matched ".AWS" | 30 |
| medium | Remote Payload | package/libs/instance-factories/tools/templates/mcp/static/scripts/build-enterprise.js | matched "curl " | 12 |
| medium | Remote Payload | package/libs/instance-factories/tools/templates/mcp/static/scripts/test-hybrid-simple.js | matched "curl " | 12 |
| medium | Remote Payload | package/libs/instance-factories/tools/templates/vscode/static/syntaxes/specverse.tmLanguage.json | matched "raw.githubusercontent.com" | 12 |
Show all 12 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | Credential file access | package/libs/instance-factories/tools/templates/mcp/static/src/services/CLIProxyService.ts | matched ".AWS" | 30 |
| medium | Remote Payload | package/libs/instance-factories/tools/templates/mcp/static/scripts/build-enterprise.js | matched "curl " | 12 |
| medium | Remote Payload | package/libs/instance-factories/tools/templates/mcp/static/scripts/test-hybrid-simple.js | matched "curl " | 12 |
| medium | Remote Payload | package/libs/instance-factories/tools/templates/vscode/static/syntaxes/specverse.tmLanguage.json | matched "raw.githubusercontent.com" | 12 |
| low | Obfuscation | package/assets/examples/validate-examples-with-expected-failures.cjs | matched "\\x1b" | 3 |
| low | Obfuscation | package/assets/examples/validate-examples.cjs | matched "\\x1b" | 3 |
| low | Obfuscation | package/assets/templates/backend-only/generated/code/integration-test.template.js | matched "\\x1b" | 3 |
| low | Obfuscation | package/assets/templates/default/generated/code/integration-test.template.js | matched "\\x1b" | 3 |
| low | Obfuscation | package/assets/templates/frontend-only/generated/code/integration-test.template.js | matched "\\x1b" | 3 |
| low | Obfuscation | package/assets/templates/full-stack/generated/code/integration-test.template.js | matched "\\x1b" | 3 |
| low | Obfuscation | package/package.json | matched "\\u2014" | 3 |
| low | Obfuscation | package/libs/instance-factories/tools/templates/mcp/static/src/services/HybridResourcesProvider.ts | matched "eval(" | 3 |
Manifest
Package metadata
Scripts4
buildtsc && tsc -p tsconfig.libs.jsonbuild:libstsc -p tsconfig.libs.jsonbuild:srctsccleanrm -rf dist
Dependencies9
@specverse/engine-generators4.0.1@specverse/engine-parser4.0.1@specverse/types4.0.1ajv^8.12.0ajv-formats^2.1.1glob^10.3.10js-yaml^4.1.0semver^7.7.3yaml^2.8.1