Package evidence

@zintrust/[email protected]

Credential File Packaged: package/src/services/default/test/.env

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads: 5,229Niche · −30% score
Versions published: 224
First published: Dec 2025
Publisher: diadal

Effective trust discount applied: −30% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@zintrust/[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@zintrust/[email protected]"],"fail_on":"high"}'

Publisherdiadal

Artifact bytes873,408

Previous version2.4.0

Published2026-05-31T11:13:33.814Z

SHA-256ff24d3338b110d8ebc59d3622e82213fdc0e92bb1b173a2094d0df2dad47ee37

Why flagged

What the scanner saw

New Lifecycle Script Vs Previous: postinstall added in 2.4.1 vs 2.4.0: "node -e \"process.exit(0)\""

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

high

7d agoLast checked

highRisk

185Score

2.4.1Version

Status history (1 event)

new → available17d ago · risk high · score 185 · status changed

Evidence

Static findings

12 static · 1 from release diff · showing high-signal first.

Severity	Kind	Path	Detail	Points
high	New Lifecycle Script Vs Previous	package.json	postinstall added in 2.4.1 vs 2.4.0: "node -e \"process.exit(0)\""	40
high	Credential File Packaged	package/src/services/default/test/.env	package/src/services/default/test/.env	35
high	Credential File Packaged	package/src/services/default/users/.env	package/src/services/default/users/.env	35
high	Install Lifecycle Remote Or Exec	package.json	postinstall="node -e \"process.exit(0)\""	30

Show all 13 findings (low-signal and informational)

Severity	Kind	Path	Detail	Points
high	New Lifecycle Script Vs Previous	package.json	postinstall added in 2.4.1 vs 2.4.0: "node -e \"process.exit(0)\""	40
high	Credential File Packaged	package/src/services/default/test/.env	package/src/services/default/test/.env	35
high	Credential File Packaged	package/src/services/default/users/.env	package/src/services/default/users/.env	35
high	Install Lifecycle Remote Or Exec	package.json	postinstall="node -e \"process.exit(0)\""	30
low	Credential file access	package/src/toolkit/Secrets/providers/AwsSecretsManager.ts	matched "AWS_ACCESS_KEY"	5
low	Credential file access	package/src/cli/scaffolding/env.ts	matched "AWS_ACCESS_KEY"	5
low	Credential file access	package/src/config/env.ts	matched "AWS_ACCESS_KEY"	5
low	Credential file access	package/src/config/queue.ts	matched "AWS_ACCESS_KEY"	5
low	Credential file access	package/src/tools/storage/drivers/S3.ts	matched "AWS_ACCESS_KEY"	5
low	Credential file access	package/src/tools/mail/drivers/Ses.ts	matched "AWS_ACCESS_KEY"	5
low	Credential file access	package/src/config/storage.ts	matched "AWS_ACCESS_KEY"	5
low	Credential file access	package/src/cli/services/WorkerStartupDiagnostics.ts	matched "AWS_ACCESS_KEY"	5
low	Install-time lifecycle script	package.json	postinstall="node -e \"process.exit(0)\""	5

Manifest

Package metadata

Scripts116

b:pushnpm run lint:strict
bgnpm install -g /opt/homebrew/var/www/Sites/zintrust/dist
buildnpm run clean && npm run templates:check && tsc && tsc-alias && node scripts/rewrite-dist-tsconfig-aliases.mjs && node scripts/fix-dist-esm-imports.mjs && node scripts/fix-worker-aliases.mjs && node scripts/copy-cli-templates-to-dist.mjs && node scripts/copy-getting-started-to-dist-readme.mjs && node scripts/copy-docs-public-to-dist.mjs && node scripts/generate-dist-package.mjs && node scripts/replace-build-placeholders.mjs && node scripts/add-version-banner.mjs && node scripts/generate-build-manifest.mjs && npm run packages:build:all
build:ciexport CI=true && npm run -s ci:remove-dev-routes && npm run clean && npm run templates:check && tsc && tsc-alias && node scripts/rewrite-dist-tsconfig-aliases.mjs && node scripts/copy-docs-public-to-dist.mjs && node scripts/fix-dist-esm-imports.mjs && node scripts/fix-worker-aliases.mjs && node scripts/generate-dist-package.mjs && node scripts/replace-build-placeholders.mjs && node scripts/add-version-banner.mjs && node scripts/generate-build-manifest.mjs && npm run packages:build:all
build:dkexport CI=true && npm run -s ci:remove-dev-routes && npm run clean && npm run templates:check && npm run packages:build:docker && tsc && tsc-alias && node scripts/rewrite-dist-tsconfig-aliases.mjs && node scripts/copy-docs-public-to-dist.mjs && node scripts/fix-dist-esm-imports.mjs && node scripts/fix-worker-aliases.mjs && node scripts/generate-dist-package.mjs && node scripts/replace-build-placeholders.mjs && node scripts/add-version-banner.mjs && node scripts/generate-build-manifest.mjs
cagnpm run cleanup:github-actions
check-upnpx npm-check-updates -u && npm install --no-audit --no-fund
check-up:checknpx npm-check-updates
check:workspace-versionsnode scripts/release/sync-package-versions.mjs --check
ci:coverage-prepnode -e "if (process.env.CI==='true' || process.env.CI==='1') require('node:child_process').execSync('node scripts/toggle-dev-routes.mjs remove', { stdio: 'inherit' })"
ci:remove-dev-routesnode scripts/toggle-dev-routes.mjs remove
cleanrm -rf dist
cleanup:github-actionsbash ./dev/cleanup-github-actions.sh
commemtoutbash ./scripts/disable-plugins-import.sh
corenpm run core:build:dist
core:build:distnpm run -s worker-plugins:ensure && npm run clean && npm run templates:check && tsc && tsc-alias && node scripts/rewrite-dist-tsconfig-aliases.mjs && node scripts/fix-dist-esm-imports.mjs && node scripts/fix-worker-aliases.mjs && node scripts/copy-cli-templates-to-dist.mjs && node scripts/copy-getting-started-to-dist-readme.mjs && node scripts/copy-docs-public-to-dist.mjs && node scripts/generate-dist-package.mjs && node scripts/replace-build-placeholders.mjs && node scripts/add-version-banner.mjs && node scripts/generate-build-manifest.mjs
core:link-distmkdir -p node_modules/@zintrust && rm -rf node_modules/@zintrust/core && ln -s ../../dist node_modules/@zintrust/core && ls -la node_modules/@zintrust/core && cat node_modules/@zintrust/core/package.json | head -n 8
coverage:difftsx scripts/coverage-diff.ts
coverage:patchsh scripts/coverage-patch.sh
dblnpm run docs:build:all
deploynode scripts/run-local-wrangler.mjs --cwd docs-website -- wrangler types && node scripts/run-local-wrangler.mjs --cwd docs-website -- wrangler deploy --env ${WRANGLER_ENV:-production}
deploy:cp./bin/z.ts deploy:ccp
deploy:d1wrangler deploy --env d1-proxy
deploy:kvwrangler deploy --env kv-proxy
deploy:wkwrangler deploy --env worker
dev./bin/z.ts s
dev:cpnode scripts/dev-cp.mjs
dev:cp:buildnpm run dev:cp -- --pull
dev:cp:cleannode scripts/dev-cp.mjs --clean-images
dev:cp:pullnpm run dev:cp -- --pull
…and 86 more.

Dependencies12

@cloudflare/containers^0.3.5
bcryptjs^3.0.3
bullmq^5.77.6
chalk^5.6.2
commander^15.0.0
inquirer^14.0.1
ioredis^5.11.0
jsonwebtoken^9.0.3
mysql2^3.22.4
pg^8.21.0
redis^6.0.0
tsx^4.22.3