Recommended action
Block this updateStatic evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"high"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"high"}'Why flagged
What the scanner saw
Credential file access: matched "aws_secret_access_key"
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk high · score 330 · status changed
Related candidates
Linked campaigns and clusters
havingautism
3 members · evidence strength 74Evidence
Static findings
65 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | Credential file access | package/src/core/memory-policy.js | matched "aws_secret_access_key" | 30 |
| high | Credential file access | package/codemini-web/dist/assets/ssh-config-BXQtTCIF.js | matched ".ssh" | 30 |
| high | Credential file access | package/codemini-web/dist/assets/ssh-config-c8xWrNd3.js | matched ".ssh" | 30 |
| medium | Obfuscation Density | package/codemini-web/dist/assets/blade-CZmvLMqX.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/codemini-web/dist/assets/blade-yCipMU7O.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/codemini-web/dist/assets/julia-D3m6Naeo.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/codemini-web/dist/assets/julia-DccX1P6V.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/codemini-web/dist/assets/php-BwKAM01v.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/codemini-web/dist/assets/php-JHRd8dm2.js | high encoded/escaped-token density | 12 |
Show all 65 findings (low-signal and informational)
Showing 60 of 65 findings.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | Credential file access | package/src/core/memory-policy.js | matched "aws_secret_access_key" | 30 |
| high | Credential file access | package/codemini-web/dist/assets/ssh-config-BXQtTCIF.js | matched ".ssh" | 30 |
| high | Credential file access | package/codemini-web/dist/assets/ssh-config-c8xWrNd3.js | matched ".ssh" | 30 |
| medium | Obfuscation Density | package/codemini-web/dist/assets/blade-CZmvLMqX.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/codemini-web/dist/assets/blade-yCipMU7O.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/codemini-web/dist/assets/julia-D3m6Naeo.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/codemini-web/dist/assets/julia-DccX1P6V.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/codemini-web/dist/assets/php-BwKAM01v.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/codemini-web/dist/assets/php-JHRd8dm2.js | high encoded/escaped-token density | 12 |
| low | Obfuscation | package/codemini-web/dist/assets/ara-BT0X4Ugj.js | matched "\\x7F" | 3 |
| low | Obfuscation | package/codemini-web/dist/assets/ara-qfWmV7HG.js | matched "\\x7F" | 3 |
| low | Obfuscation | package/codemini-web/dist/assets/blade-CZmvLMqX.js | matched "\\x7F" | 3 |
| low | Obfuscation | package/codemini-web/dist/assets/blade-yCipMU7O.js | matched "\\x7F" | 3 |
| low | Obfuscation | package/src/tui/chat-app.js | matched "\\u001b" | 3 |
| low | Obfuscation | package/src/core/chat-runtime.js | matched "\\u4e00" | 3 |
| low | Obfuscation | package/src/core/checkpoint-store.js | matched "\\u4e00" | 3 |
| low | Obfuscation | package/codemini-web/dist/assets/chunk-BO2N2NFS-B_1mmJ7o.js | matched "\\xA0" | 3 |
| low | Obfuscation | package/codemini-web/dist/assets/coffee-Cc_rWR8J.js | matched "fromCharCode" | 3 |
| low | Obfuscation | package/codemini-web/dist/assets/coffee-CdHPU0ae.js | matched "fromCharCode" | 3 |
| low | Obfuscation | package/codemini-web/dist/assets/coq-Bmhb9ZJj.js | matched "\\xA0" | 3 |
| low | Obfuscation | package/codemini-web/dist/assets/coq-D4ZSdG5c.js | matched "\\xA0" | 3 |
| low | Obfuscation | package/codemini-web/dist/assets/crystal-CCdHnjgs.js | matched "\\x08" | 3 |
| low | Obfuscation | package/codemini-web/dist/assets/crystal-t_quMnAc.js | matched "\\x08" | 3 |
| low | Obfuscation | package/codemini-web/dist/assets/css-Dc4AJufL.js | matched "\\uFEFF" | 3 |
| low | Obfuscation | package/codemini-web/dist/assets/css-DKpeQqkt.js | matched "\\uFEFF" | 3 |
| low | Obfuscation | package/codemini-web/dist/assets/glimmer-js-CRAd8ThK.js | matched "\\x08" | 3 |
| low | Obfuscation | package/codemini-web/dist/assets/glimmer-js-YD0svSjH.js | matched "\\x08" | 3 |
| low | Obfuscation | package/codemini-web/dist/assets/glimmer-ts-Dysf6LgD.js | matched "\\x08" | 3 |
| low | Obfuscation | package/codemini-web/dist/assets/glimmer-ts-WIXVzXxb.js | matched "\\x08" | 3 |
| low | Obfuscation | package/codemini-web/dist/assets/hack-BdKVn6Ts.js | matched "\\x7F" | 3 |
| low | Obfuscation | package/codemini-web/dist/assets/hack-D8c17tYc.js | matched "\\x7F" | 3 |
| low | Obfuscation | package/codemini-web/dist/assets/html-CCTOuWUS.js | matched "\\x00" | 3 |
| low | Obfuscation | package/codemini-web/dist/assets/html-CZTYweBl.js | matched "\\x00" | 3 |
| low | Obfuscation | package/codemini-web/dist/assets/index-ljD0hqud.js | matched "\\u00C0" | 3 |
| low | Obfuscation | package/src/tui/input-escape.js | matched "\\u001b" | 3 |
| low | Obfuscation | package/codemini-web/dist/assets/julia-D3m6Naeo.js | matched "\\x01" | 3 |
| low | Obfuscation | package/codemini-web/dist/assets/julia-DccX1P6V.js | matched "\\x01" | 3 |
| low | Obfuscation | package/codemini-web/dist/assets/less-CoKjthp_.js | matched "\\x00" | 3 |
| low | Obfuscation | package/codemini-web/dist/assets/less-JuMn7boC.js | matched "\\x00" | 3 |
| low | Obfuscation | package/src/core/memory-store.js | matched "\\u4e00" | 3 |
| low | Obfuscation | package/codemini-web/dist/assets/MessageBubble-CSvSr7aZ.js | matched "fromCharCode" | 3 |
| low | Obfuscation | package/src/core/non-git-backup.js | matched "\\x00" | 3 |
| low | Obfuscation | package/codemini-web/dist/assets/PatchDiff-CrJnCWDC.js | matched "\\uD800" | 3 |
| low | Obfuscation | package/codemini-web/dist/assets/php-BwKAM01v.js | matched "\\x7F" | 3 |
| low | Obfuscation | package/codemini-web/dist/assets/php-JHRd8dm2.js | matched "\\x7F" | 3 |
| low | Obfuscation | package/codemini-web/dist/assets/puppet-B3zJXSOB.js | matched "\\x7F" | 3 |
| low | Obfuscation | package/codemini-web/dist/assets/puppet-yCBm5gB1.js | matched "\\x7F" | 3 |
| low | Obfuscation | package/src/core/reflect-skill.js | matched "\\u4e00" | 3 |
| low | Obfuscation | package/codemini-web/dist/assets/ruby-CwtBzJIV.js | matched "\\x00" | 3 |
| low | Obfuscation | package/codemini-web/dist/assets/ruby-DmsyVxr4.js | matched "\\x00" | 3 |
| low | Obfuscation | package/codemini-web/dist/assets/scss-BFSkWzzh.js | matched "\\x00" | 3 |
| low | Obfuscation | package/codemini-web/dist/assets/scss-CTNVYtth.js | matched "\\x00" | 3 |
| low | Obfuscation | package/codemini-web/dist/assets/stata-B_vhRYNj.js | matched "\\x00" | 3 |
| low | Obfuscation | package/codemini-web/dist/assets/stata-DnXsHu83.js | matched "\\x00" | 3 |
| low | Obfuscation | package/codemini-web/dist/assets/stylus-BwVy3Jct.js | matched "\\x00" | 3 |
| low | Obfuscation | package/codemini-web/dist/assets/stylus-DzU-XN_s.js | matched "\\x00" | 3 |
| low | Obfuscation | package/src/core/tool-output.js | matched "\\u0000" | 3 |
| low | Obfuscation | package/codemini-web/dist/assets/twig-Cdoxc7wn.js | matched "\\x7F" | 3 |
| low | Obfuscation | package/codemini-web/dist/assets/twig-CNvzppk5.js | matched "\\x7F" | 3 |
| low | Obfuscation | package/codemini-web/dist/assets/typst-CVrFKV6q.js | matched "\\x00" | 3 |
Manifest
Package metadata
Scripts8
build:webnpm install --prefix codemini-web && npm run build --prefix codemini-webbump:majornpm version major --no-git-tag-versionbump:minornpm version minor --no-git-tag-versionbump:patchnpm version patch --no-git-tag-versionpack:offlinenpm packprepacknpm run build:webstartnode bin/coder.jstestnode --test tests/*.test.js
Dependencies7
@cursorless/tree-sitter-wasms^0.8.1cheerio^1.1.2cli-truncate^6.0.0ink^7.0.0react^19.2.5strip-ansi^7.2.0web-tree-sitter^0.26.8