PkgRadar

Package evidence

@whgiimall/[email protected]

Credential File Packaged: package/templates/.npmrc

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published
13
First published
Jun 2026
Publisher
hudulin

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@whgiimall/[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@whgiimall/[email protected]"],"fail_on":"high"}'
Publisherhudulin
Artifact bytes25,751
Previous version0.1.6
Published2026-06-02T07:01:26.545Z
SHA-2563abe564ff69762a28b6bdecb5ba0aa1e38e38eeeefbc033bdce991c1b050bf94

Why flagged

What the scanner saw

Credential File Packaged: package/templates/.npmrc

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

not present

status
Last checked
noneRisk
Score
0.1.8Version

Latest scanner note: @whgiimall/[email protected] not present in registry metadata

Status history (2 events)
  1. availablenot_present · risk none · score · @whgiimall/[email protected] not present in registry metadata
  2. newavailable · risk high · score 43 · status changed

Evidence

Static findings

3 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
highCredential File Packagedpackage/templates/.npmrcpackage/templates/.npmrc35
Show all 3 findings (low-signal and informational)
SeverityKindPathDetailPoints
highCredential File Packagedpackage/templates/.npmrcpackage/templates/.npmrc35
lowCredential file accesspackage/src/index.mjsmatched ".npmrc"5
lowCredential file accesspackage/package.jsonmatched ".npmrc"3

Manifest

Package metadata

Scripts11
  • buildvite build && vue-tsc -b
  • devvite
  • formatprettier . --config config/prettier.config.mjs --ignore-path config/.prettierignore --write
  • format:checkprettier . --config config/prettier.config.mjs --ignore-path config/.prettierignore --check
  • linteslint ./src/**/*.{js,ts,vue,tsx,json} -c config/eslint.config.js --max-warnings 0 --cache
  • lint-stagedlint-staged -c config/lint-staged.config.mjs
  • lint:fixpnpm run lint --fix
  • preparehusky
  • previewvite preview
  • pullnode scripts/git-pull.mjs
  • pushnode scripts/git-push.mjs
Dependencies15
  • @element-plus/icons-vue2.3.2
  • @whgiimall/prototype-biz-selectors__WHGIIMALL_VERSION__
  • @whgiimall/prototype-core__WHGIIMALL_VERSION__
  • @whgiimall/prototype-layout__WHGIIMALL_VERSION__
  • @whgiimall/prototype-ui__WHGIIMALL_VERSION__
  • @whgiimall/vite-config-prototype__WHGIIMALL_VERSION__
  • axios1.16.1
  • dayjs1.11.20
  • element-plus2.14.0
  • giime0.9.15
  • lodash-es4.18.1
  • pinia2.3.1
  • vue3.5.34
  • vue-clipboard32.0.0
  • vue-router4.6.4