PkgRadar

Package evidence

@workglow/[email protected]

Credential file access: matched ".azure"

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@workglow/[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@workglow/[email protected]"],"fail_on":"high"}'
Publishersroussey
Artifact bytes539,243
Previous version0.3.6
Published2026-05-24T22:56:51.633Z
SHA-256b060da7f597cb31532621dbc1afab7a12cb2a31d2b51d99ca20c127e95ce50ab

Why flagged

What the scanner saw

Credential file access: matched ".azure"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

high
Last checked
highRisk
132Score
0.3.7Version
Status history (1 event)
  1. newavailable · risk high · score 132 · status changed

Related candidates

Linked campaigns and clusters

Publisher / release actor burststale

sroussey

3 members · evidence strength 66

Evidence

Static findings

8 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
highCredential file accesspackage/dist/browser.jsmatched ".azure"30
highCredential file accesspackage/dist/bun.jsmatched ".azure"30
highCredential file accesspackage/dist/electron.jsmatched ".azure"30
highCredential file accesspackage/dist/node.jsmatched ".azure"30
Show all 8 findings (low-signal and informational)
SeverityKindPathDetailPoints
highCredential file accesspackage/dist/browser.jsmatched ".azure"30
highCredential file accesspackage/dist/bun.jsmatched ".azure"30
highCredential file accesspackage/dist/electron.jsmatched ".azure"30
highCredential file accesspackage/dist/node.jsmatched ".azure"30
lowObfuscationpackage/dist/browser.jsmatched "fromCharCode"3
lowObfuscationpackage/dist/bun.jsmatched "\\u2026"3
lowObfuscationpackage/dist/electron.jsmatched "Buffer.from(base64, \"base64"3
lowObfuscationpackage/dist/node.jsmatched "Buffer.from(base64, \"base64"3

Manifest

Package metadata

Scripts17
  • build-browserbun build --target=browser --sourcemap=external --packages=external --outdir ./dist ./src/browser.ts
  • build-bunbun build --target=bun --sourcemap=external --packages=external --outdir ./dist ./src/bun.ts
  • build-cleanrm -fr dist/* tsconfig.tsbuildinfo
  • build-electronbun build --target=node --sourcemap=external --packages=external --outdir ./dist ./src/electron.ts
  • build-jsconcurrently -c 'auto' -n 'browser,node,bun,electron' 'bun run build-browser' 'bun run build-node' 'bun run build-bun' 'bun run build-electron'
  • build-nodebun build --target=node --sourcemap=external --packages=external --outdir ./dist ./src/node.ts
  • build-packageconcurrently -c 'auto' -n 'browser,node,bun,electron,types' 'bun run build-browser' 'bun run build-node' 'bun run build-bun' 'bun run build-electron' 'bun run build-types'
  • build-typesrm -f tsconfig.tsbuildinfo && tsgo
  • linteslint . --ext ts,tsx --report-unused-disable-directives --max-warnings 0
  • testbun test
  • watchconcurrently -c 'auto' 'bun:watch-*'
  • watch-browserbun build --watch --no-clear-screen --target=browser --sourcemap=external --packages=external --outdir ./dist ./src/browser.ts
  • watch-bunbun build --watch --no-clear-screen --target=bun --sourcemap=external --packages=external --outdir ./dist ./src/bun.ts
  • watch-electronbun build --watch --no-clear-screen --target=node --sourcemap=external --packages=external --outdir ./dist ./src/electron.ts
  • watch-jsconcurrently -c 'auto' -n 'browser,node,bun,electron' 'bun run watch-browser' 'bun run watch-node' 'bun run watch-bun' 'bun run watch-electron'
  • watch-nodebun build --watch --no-clear-screen --target=node --sourcemap=external --packages=external --outdir ./dist ./src/node.ts
  • watch-typestsc --watch --preserveWatchOutput
Dependencies2
  • ipaddr.js^2.4.0
  • undici^8.3.0
Optional dependencies1
  • papaparse^5.5.3