Package evidence

@surething/[email protected]

Credential file access: matched ".ssh/"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published: 47
First published: Mar 2026
Publisher: robert-sure

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@surething/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@surething/[email protected]"],"fail_on":"review"}'

Publisherrobert-sure

Artifact bytes8,325,909

Previous version1.0.220

Published2026-06-12T17:03:30.192Z

SHA-25625740e15ff17e532529b778045e4453cffd0c22cd8163fa1ddb76aadcda2f9bb

Why flagged

What the scanner saw

Credential file access: matched ".ssh/"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review

26h agoLast checked

reviewRisk

10Score

1.0.221Version

Status history (1 event)

new → available26h ago · risk review · score 10 · status changed

Evidence

Static findings

4 static · 0 from release diff · showing high-signal first.

No high-signal findings — see all findings below.

Show all 4 findings (low-signal and informational)

Severity	Kind	Path	Detail	Points
low	Credential file access	package/.next-prod/static/chunks/6046.00d36aea7fd5b147.js	matched ".ssh/"	5
low	Install-time lifecycle script	package.json	postinstall="node bin/postinstall.mjs"	5
low	Large Javascript Payload	package/.next-prod/server/chunks/3408.js	2652483 bytes	0
low	Large Javascript Payload	package/.next-prod/server/chunks/7184.js	2511676 bytes	0

Manifest

Package metadata

Scripts12

buildnext build --webpack
build:servertsup --config tsup.server.ts
copy-wasmsnode scripts/copy-tree-sitter-wasms.mjs
devCOCKPIT_ENV=dev node --import tsx server.mjs
generate-iconsnode scripts/generate-icons.js
linteslint
postinstallnode bin/postinstall.mjs
prebuildnode scripts/copy-tree-sitter-wasms.mjs
predevnode scripts/copy-tree-sitter-wasms.mjs
prepublishOnlynpm run build && npm run build:server && rm -rf .next-prod/cache
setupnpm run build && npm run build:server && npm link
setup-devnode bin/setup-dev.mjs

Dependencies50

@ai-sdk/openai^3.0.52
@anthropic-ai/claude-agent-sdk^0.3.158
@dagrejs/dagre^3.0.0
@tanstack/react-virtual^3.13.18
@tiptap/extension-link^3.19.0
@tiptap/extension-placeholder^3.19.0
@tiptap/extension-table^3.19.0
@tiptap/extension-table-cell^3.19.0
@tiptap/extension-table-header^3.19.0
@tiptap/extension-table-row^3.19.0
@tiptap/extension-task-item^3.19.0
@tiptap/extension-task-list^3.19.0
@tiptap/react^3.19.0
@tiptap/starter-kit^3.19.0
@types/hast^3.0.4
@types/pg^8.18.0
@types/react-syntax-highlighter^15.5.13
@vscode/ripgrep^1.17.0
@xterm/addon-fit^0.11.0
@xterm/addon-search^0.16.0
@xterm/xterm^6.0.0
@xyflow/react^12.10.2
ai^6.0.154
ansi_up^6.0.6
fast-glob^3.3.3
graphology^0.26.0
graphology-communities-louvain^2.0.2
i18next^25.10.9
ioredis^5.10.0
lucide-react^0.564.0
…and 20 more.