PkgRadar

Package evidence

[email protected]

Credential file access: matched ".ssh/"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
3,246Niche · −30% score
Versions published
237
First published
Jan 2026
Publisher
simon_he

Effective trust discount applied: 30% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"review"}'
Publishersimon_he
Artifact bytes9,748,107
Previous version0.0.18-beta.2
Published2026-03-14T14:22:05.528Z
SHA-256e9d08e2af52145b45e708a5a254d1e2027c487bd9075918e68743e817242f5a4

Why flagged

What the scanner saw

Credential file access: matched ".ssh/"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
7Score
0.0.18Version
Status history (1 event)
  1. newavailable · risk review · score 7 · status changed

Evidence

Static findings

8 static · 0 from release diff · showing high-signal first.

No high-signal findings — see all findings below.

Show all 8 findings (low-signal and informational)
SeverityKindPathDetailPoints
lowCredential file accesspackage/assets/gui/_nuxt/_ykCGR6B.jsmatched ".ssh/"5
lowInstall-time lifecycle scriptpackage.jsonpostinstall="node scripts/postinstall.mjs"5
lowLarge Javascript Payloadpackage/assets/gui/_nuxt/B8T9Vkkp.js2351079 bytes0
lowLarge Javascript Payloadpackage/assets/gui/_nuxt/Z6tloZ0k.js2765656 bytes0
lowObfuscation Densitypackage/assets/gui/_nuxt/chunk-B4BG7PRW-BTzCu0pf.jshigh encoded/escaped-token density0
lowObfuscation Densitypackage/assets/gui/_nuxt/flowDiagram-NV44I4VS-zt5vccS4.jshigh encoded/escaped-token density0
lowLarge Javascript Payloadpackage/assets/gui/_nuxt/ts.worker-BkEcNiLV.js7010162 bytes0
lowLarge Javascript Payloadpackage/dist/cli.mjs8088390 bytes0

Manifest

Package metadata

Scripts28
  • bench:acpbun scripts/acp-session-benchmark.ts
  • bench:acp:gatebun scripts/acp-session-benchmark-gate.ts
  • bench:scrollbun scripts/scroll-benchmark.ts
  • bench:stdoutbun scripts/stdout-benchmark.ts
  • buildbun run build.mjs
  • build:binarybun run build.mjs --binary
  • build:binary:linuxbun run build.mjs --binary --target=bun-linux-x64
  • build:binary:linux-arm64bun run build.mjs --binary --target=bun-linux-arm64
  • build:binary:macosbun run build.mjs --binary --target=bun-darwin-arm64
  • build:binary:macos-x64bun run build.mjs --binary --target=bun-darwin-x64
  • build:binary:windowsbun run build.mjs --binary --target=bun-windows-x64
  • build:npmtsdown && bun run scripts/copy-provider-models.mjs
  • clibun scripts/cli-watch.mjs
  • cli:debugDIMCODE_DEBUG=1 bun scripts/cli-watch.mjs --watch -- --debug
  • cli:debug:runDIMCODE_DEBUG=1 bun src/cli.ts --debug
  • cli:runDIMCODE_DEBUG=1 esno src/cli.ts
  • cli:run:nodenode --enable-source-maps --import tsx src/cli.ts
  • fix-packagebun run fix-package.mjs
  • linteslint src/**/*.ts
  • lint:fixeslint src/**/*.ts --fix
  • postinstallnode scripts/postinstall.mjs
  • prepackbun run build
  • releasebumpp --commit --no-verify --no-tag --no-push && bun run build && bun publish
  • release:npmbumpp --commit --no-verify --no-tag --no-push && bun run build:npm && npm publish
  • restore-packagebun run restore-package.mjs
  • smokebun run build && bun dist/cli.mjs --help
  • testbun test --preload ./test/setup.ts
  • typechecktsc --noEmit
Dependencies5
  • cross-spawn^7.0.6
  • nanoid^5.1.6
  • semver^7.7.4
  • shiki^3.23.0
  • vue^3.5.29