Package evidence

@veilnyx-sdk/[email protected]

Credential File Packaged: package/.env

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published: 3
First published: Jun 2026
Publisher: miraldev

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@veilnyx-sdk/[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@veilnyx-sdk/[email protected]"],"fail_on":"high"}'

Publishermiraldev

Artifact bytes935,046

Previous version1.0.0

Published2026-06-02T12:30:56.470Z

SHA-256115047730af941f90dd41ac7e32b890b1a3d8454e21397d51d0165da0e61e460

Why flagged

What the scanner saw

Credential File Packaged: package/.env

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

high

3d agoLast checked

highRisk

35Score

1.0.1Version

Status history (1 event)

new → available11d ago · risk high · score 35 · status changed

Evidence

Static findings

1 static · 0 from release diff · showing high-signal first.

Severity	Kind	Path	Detail	Points
high	Credential File Packaged	package/.env	package/.env	35

Manifest

Package metadata

Scripts17

authyarn start auth
auth:bandadayarn start auth-bandada
auth:siweyarn start auth-siwe
buildrimraf dist && rollup -c rollup.config.ts --configPlugin typescript
build:watchrollup -c rollup.config.ts -w --configPlugin typescript
ceremony:participantsyarn start ceremony participants
cleanyarn start clean
contributeyarn start contribute
coordinate:finalizeyarn start coordinate finalize
coordinate:observeyarn start coordinate observe
coordinate:setupyarn start coordinate setup
docstypedoc src/**/*.ts --out ../../docs/phase2cli
listyarn start list
logoutyarn start logout
prepublishOnlynpm run build
startnode --loader ts-node/esm ./src/index.ts
validateyarn start validate

Dependencies33

@adobe/node-fetch-retry^2.2.0
@aws-sdk/client-s3^3.329.0
@bandada/api-sdk^1.0.0-beta.1
@octokit/auth-oauth-app^5.0.5
@octokit/auth-oauth-device^4.0.4
@octokit/request^6.2.3
@p0tion/actions^1.2.8
@semaphore-protocol/identity^3.15.1
blakejs^1.2.1
boxen^7.1.0
chalk^5.2.0
clear^0.1.0
cli-progress^3.12.0
clipboardy^3.0.0
commander^10.0.1
conf^11.0.1
dotenv^16.0.3
ethers^6.9.0
figlet^1.6.0
firebase^9.21.0
log-symbols^5.1.0
mime-types^2.1.35
node-disk-info^1.3.0
node-emoji^1.11.0
node-fetch^3.3.1
open^9.1.0
ora^6.3.0
prompts^2.4.2
rimraf^5.0.0
rollup^3.21.6
…and 3 more.