PkgRadar

Package evidence

@whgiimall/[email protected]

Credential File Packaged: package/templates/.npmrc

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published
1
First published
Jun 2026
Publisher
hudulin

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@whgiimall/[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@whgiimall/[email protected]"],"fail_on":"high"}'
Publisherhudulin
Artifact bytes31,651
Previous versionnone
Published2026-06-09T03:58:19.907Z
SHA-2566c16bfeda0c4fe54f21183fe1489a498d121f5dc6f511e814a6d4f0d679ea1c8

Why flagged

What the scanner saw

Credential File Packaged: package/templates/.npmrc

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

high
Last checked
highRisk
43Score
0.1.18Version
Status history (2 events)
  1. availableavailable · risk high · score 43 · status available -> available, risk high -> high, score 30 -> 43
  2. newavailable · risk high · score 30 · status changed

Evidence

Static findings

3 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
highCredential File Packagedpackage/templates/.npmrcpackage/templates/.npmrc35
Show all 3 findings (low-signal and informational)
SeverityKindPathDetailPoints
highCredential File Packagedpackage/templates/.npmrcpackage/templates/.npmrc35
lowCredential file accesspackage/src/index.mjsmatched ".npmrc"5
lowCredential file accesspackage/package.jsonmatched ".npmrc"3

Manifest

Package metadata

Scripts11
  • buildvite build && vue-tsc -b
  • devvite
  • formatprettier . --config config/prettier.config.mjs --ignore-path config/.prettierignore --write
  • format:checkprettier . --config config/prettier.config.mjs --ignore-path config/.prettierignore --check
  • linteslint ./src/**/*.{js,ts,vue,tsx,json} -c config/eslint.config.js --max-warnings 0 --cache
  • lint-stagedlint-staged -c config/lint-staged.config.mjs
  • lint:fixpnpm run lint --fix
  • preparehusky
  • previewvite preview
  • pullnode scripts/git-pull.mjs
  • pushnode scripts/git-push.mjs
Dependencies22
  • @element-plus/icons-vue2.3.2
  • @vueuse/core14.3.0
  • @vueuse/integrations14.3.0
  • @wangeditor/editor5.1.23
  • @wangeditor/editor-for-vue5.1.12
  • @whgiimall/prototype-biz-selectors__WHGIIMALL_VERSION__
  • @whgiimall/prototype-core__WHGIIMALL_VERSION__
  • @whgiimall/prototype-layout__WHGIIMALL_VERSION__
  • @whgiimall/prototype-ui__WHGIIMALL_VERSION__
  • @whgiimall/vite-config-prototype__WHGIIMALL_VERSION__
  • axios1.16.1
  • dayjs1.11.20
  • decimal.js10.6.0
  • echarts5.6.0
  • element-plus2.14.0
  • giime0.9.15
  • js-cookie3.0.7
  • lodash-es4.18.1
  • pinia2.3.1
  • vue3.5.34
  • vue-clipboard32.0.0
  • vue-router4.6.4