Recommended action
Block this updateStatic evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"high"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"high"}'Why flagged
What the scanner saw
Credential file access: matched "aws_secret_access_key"
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk high · score 330 · status changed
Related candidates
Linked campaigns and clusters
havingautism
3 members · evidence strength 74Evidence
Static findings
65 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | Credential file access | package/src/core/memory-policy.js | matched "aws_secret_access_key" | 30 |
| high | Credential file access | package/codemini-web/dist/assets/ssh-config-B2E5WPpD.js | matched ".ssh" | 30 |
| high | Credential file access | package/codemini-web/dist/assets/ssh-config-JoXpWa3y.js | matched ".ssh" | 30 |
| medium | Obfuscation Density | package/codemini-web/dist/assets/blade-CxVOILUn.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/codemini-web/dist/assets/blade-DsiMSXb3.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/codemini-web/dist/assets/julia-D6Tp2lkv.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/codemini-web/dist/assets/julia-ssnM4-62.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/codemini-web/dist/assets/php-9sDqPlZW.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/codemini-web/dist/assets/php-BbiCqfrp.js | high encoded/escaped-token density | 12 |
Show all 65 findings (low-signal and informational)
Showing 60 of 65 findings.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | Credential file access | package/src/core/memory-policy.js | matched "aws_secret_access_key" | 30 |
| high | Credential file access | package/codemini-web/dist/assets/ssh-config-B2E5WPpD.js | matched ".ssh" | 30 |
| high | Credential file access | package/codemini-web/dist/assets/ssh-config-JoXpWa3y.js | matched ".ssh" | 30 |
| medium | Obfuscation Density | package/codemini-web/dist/assets/blade-CxVOILUn.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/codemini-web/dist/assets/blade-DsiMSXb3.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/codemini-web/dist/assets/julia-D6Tp2lkv.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/codemini-web/dist/assets/julia-ssnM4-62.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/codemini-web/dist/assets/php-9sDqPlZW.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/codemini-web/dist/assets/php-BbiCqfrp.js | high encoded/escaped-token density | 12 |
| low | Obfuscation | package/codemini-web/dist/assets/ara-CJYv1XlV.js | matched "\\x7F" | 3 |
| low | Obfuscation | package/codemini-web/dist/assets/ara-DKlv0ib1.js | matched "\\x7F" | 3 |
| low | Obfuscation | package/codemini-web/dist/assets/blade-CxVOILUn.js | matched "\\x7F" | 3 |
| low | Obfuscation | package/codemini-web/dist/assets/blade-DsiMSXb3.js | matched "\\x7F" | 3 |
| low | Obfuscation | package/src/tui/chat-app.js | matched "\\u001b" | 3 |
| low | Obfuscation | package/src/core/chat-runtime.js | matched "\\u4e00" | 3 |
| low | Obfuscation | package/src/core/checkpoint-store.js | matched "\\u4e00" | 3 |
| low | Obfuscation | package/codemini-web/dist/assets/chunk-BO2N2NFS-DMUdjM9q.js | matched "\\xA0" | 3 |
| low | Obfuscation | package/codemini-web/dist/assets/coffee-C_zREOQP.js | matched "fromCharCode" | 3 |
| low | Obfuscation | package/codemini-web/dist/assets/coffee-DYSdownS.js | matched "fromCharCode" | 3 |
| low | Obfuscation | package/codemini-web/dist/assets/coq-D004aLp-.js | matched "\\xA0" | 3 |
| low | Obfuscation | package/codemini-web/dist/assets/coq-DsaqZ5gv.js | matched "\\xA0" | 3 |
| low | Obfuscation | package/codemini-web/dist/assets/crystal-CoqbT5f8.js | matched "\\x08" | 3 |
| low | Obfuscation | package/codemini-web/dist/assets/crystal-N7P3W5Mw.js | matched "\\x08" | 3 |
| low | Obfuscation | package/codemini-web/dist/assets/css-D2Zgfenk.js | matched "\\uFEFF" | 3 |
| low | Obfuscation | package/codemini-web/dist/assets/css-DI4Ka_1L.js | matched "\\uFEFF" | 3 |
| low | Obfuscation | package/codemini-web/dist/assets/glimmer-js-bG2aM9pf.js | matched "\\x08" | 3 |
| low | Obfuscation | package/codemini-web/dist/assets/glimmer-js-BhZXPPf_.js | matched "\\x08" | 3 |
| low | Obfuscation | package/codemini-web/dist/assets/glimmer-ts-BZwU8tUk.js | matched "\\x08" | 3 |
| low | Obfuscation | package/codemini-web/dist/assets/glimmer-ts-D6GU3-HZ.js | matched "\\x08" | 3 |
| low | Obfuscation | package/codemini-web/dist/assets/hack-BIx3oBuG.js | matched "\\x7F" | 3 |
| low | Obfuscation | package/codemini-web/dist/assets/hack-Dl73UNBo.js | matched "\\x7F" | 3 |
| low | Obfuscation | package/codemini-web/dist/assets/html-CCOAFbPU.js | matched "\\x00" | 3 |
| low | Obfuscation | package/codemini-web/dist/assets/html-DFeJ4St6.js | matched "\\x00" | 3 |
| low | Obfuscation | package/codemini-web/dist/assets/index-BhMtCC8_.js | matched "\\u00C0" | 3 |
| low | Obfuscation | package/src/tui/input-escape.js | matched "\\u001b" | 3 |
| low | Obfuscation | package/codemini-web/dist/assets/julia-D6Tp2lkv.js | matched "\\x01" | 3 |
| low | Obfuscation | package/codemini-web/dist/assets/julia-ssnM4-62.js | matched "\\x01" | 3 |
| low | Obfuscation | package/codemini-web/dist/assets/less-_4Z4Zbgj.js | matched "\\x00" | 3 |
| low | Obfuscation | package/codemini-web/dist/assets/less-Dycz37IB.js | matched "\\x00" | 3 |
| low | Obfuscation | package/src/core/memory-store.js | matched "\\u4e00" | 3 |
| low | Obfuscation | package/codemini-web/dist/assets/MessageBubble-BIgpZsLn.js | matched "fromCharCode" | 3 |
| low | Obfuscation | package/src/core/non-git-backup.js | matched "\\x00" | 3 |
| low | Obfuscation | package/codemini-web/dist/assets/PatchDiff-CvKNaHsw.js | matched "\\uD800" | 3 |
| low | Obfuscation | package/codemini-web/dist/assets/php-9sDqPlZW.js | matched "\\x7F" | 3 |
| low | Obfuscation | package/codemini-web/dist/assets/php-BbiCqfrp.js | matched "\\x7F" | 3 |
| low | Obfuscation | package/codemini-web/dist/assets/puppet-BAAnN8uU.js | matched "\\x7F" | 3 |
| low | Obfuscation | package/codemini-web/dist/assets/puppet-ZnM2F-kY.js | matched "\\x7F" | 3 |
| low | Obfuscation | package/src/core/reflect-skill.js | matched "\\u4e00" | 3 |
| low | Obfuscation | package/codemini-web/dist/assets/ruby-DJfS371J.js | matched "\\x00" | 3 |
| low | Obfuscation | package/codemini-web/dist/assets/ruby-DQmpjmxU.js | matched "\\x00" | 3 |
| low | Obfuscation | package/codemini-web/dist/assets/scss-By7PHVyf.js | matched "\\x00" | 3 |
| low | Obfuscation | package/codemini-web/dist/assets/scss-CQGBghOa.js | matched "\\x00" | 3 |
| low | Obfuscation | package/codemini-web/dist/assets/stata-Cxm-fX20.js | matched "\\x00" | 3 |
| low | Obfuscation | package/codemini-web/dist/assets/stata-rcB48Bwa.js | matched "\\x00" | 3 |
| low | Obfuscation | package/codemini-web/dist/assets/stylus-BPw8WnNN.js | matched "\\x00" | 3 |
| low | Obfuscation | package/codemini-web/dist/assets/stylus-C836DBsS.js | matched "\\x00" | 3 |
| low | Obfuscation | package/src/core/tool-output.js | matched "\\u0000" | 3 |
| low | Obfuscation | package/codemini-web/dist/assets/twig-BOjawstu.js | matched "\\x7F" | 3 |
| low | Obfuscation | package/codemini-web/dist/assets/twig-l2jHuCJP.js | matched "\\x7F" | 3 |
| low | Obfuscation | package/codemini-web/dist/assets/typst-BcQNhVIE.js | matched "\\x00" | 3 |
Manifest
Package metadata
Scripts8
build:webnpm install --prefix codemini-web && npm run build --prefix codemini-webbump:majornpm version major --no-git-tag-versionbump:minornpm version minor --no-git-tag-versionbump:patchnpm version patch --no-git-tag-versionpack:offlinenpm packprepacknpm run build:webstartnode bin/coder.jstestnode --test tests/*.test.js
Dependencies7
@cursorless/tree-sitter-wasms^0.8.1cheerio^1.1.2cli-truncate^6.0.0ink^7.0.0react^19.2.5strip-ansi^7.2.0web-tree-sitter^0.26.8