PkgRadar

Package evidence

[email protected]

Credential file access: matched ".Azure"

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"high"}'
Publishercdktn-team
Artifact bytes833,573
Previous version0.24.0-pre.11
Published2026-05-18T14:08:40.057Z
SHA-256ff13e30c5dbd53894abfbe6489ef4fe70cfd34be19a61795896eaf13b1e845bd

Why flagged

What the scanner saw

Credential file access: matched ".Azure"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

high
Last checked
highRisk
57Score
0.24.0-pre.12Version
Status history (1 event)
  1. newavailable · risk high · score 57 · status changed

Related candidates

Linked campaigns and clusters

Publisher / release actor burststale

cdktn-team

5 members · evidence strength 73

Evidence

Static findings

10 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
highCredential file accesspackage/lib/backends/azurerm-backend.jsmatched ".Azure"30
Show all 10 findings (low-signal and informational)
SeverityKindPathDetailPoints
highCredential file accesspackage/lib/backends/azurerm-backend.jsmatched ".Azure"30
lowObfuscationpackage/node_modules/fflate/lib/browser.cjsmatched "fromCharCode"3
lowObfuscationpackage/node_modules/fflate/lib/index.cjsmatched "fromCharCode"3
lowObfuscationpackage/node_modules/fflate/lib/node.cjsmatched "fromCharCode"3
lowObfuscationpackage/node_modules/fflate/esm/browser.jsmatched "fromCharCode"3
lowObfuscationpackage/node_modules/fflate/umd/index.jsmatched "fromCharCode"3
lowObfuscationpackage/node_modules/get-intrinsic/index.jsmatched "Eval("3
lowObfuscationpackage/node_modules/jsonify/lib/parse.jsmatched "fromCharCode"3
lowObfuscationpackage/node_modules/jsonify/lib/stringify.jsmatched "\\x00"3
lowObfuscationpackage/node_modules/fflate/esm/index.mjsmatched "fromCharCode"3

Manifest

Package metadata

Scripts13
  • buildjsii --silence-warnings reserved-word
  • dist-cleanrm -rf dist
  • packagejsii-pacmak && bash ./go-copyright-header.sh
  • package:dotnetjsii-pacmak --targets dotnet
  • package:gojsii-pacmak --targets go
  • package:javajsii-pacmak --targets java
  • package:jsjsii-pacmak --targets js
  • package:pythonjsii-pacmak --targets python
  • testjest
  • test:cijest --ci
  • test:updatejest -u
  • watchjsii -w --silence-warnings reserved-word
  • watch-preserve-outputtsc -w --preserveWatchOutput
Dependencies3
  • fflate0.8.2
  • json-stable-stringify1.3.0
  • semver7.7.4