PkgRadar

Package evidence

[email protected]

Credential file access: matched ".AWS"

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"high"}'
Publishertywalch
Artifact bytes123,094
Previous version3.7.4
Published2026-04-05T18:43:50.923Z
SHA-2564dad01a5023a0bd38f957afb4875ca657b0707a6736e8f67c6dbc2f5da06e6b0

Why flagged

What the scanner saw

Credential file access: matched ".AWS"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

high
Last checked
highRisk
69Score
3.7.5Version
Status history (1 event)
  1. newavailable · risk high · score 69 · status changed

Related candidates

Linked campaigns and clusters

Publisher / release actor burststale

tywalch

2 members · evidence strength 57

Evidence

Static findings

5 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
highCredential file accesspackage/src/entity.jsmatched ".AWS"30
highCredential file accesspackage/src/schema.jsmatched ".aws"30
Show all 5 findings (low-signal and informational)
SeverityKindPathDetailPoints
highCredential file accesspackage/src/entity.jsmatched ".AWS"30
highCredential file accesspackage/src/schema.jsmatched ".aws"30
lowObfuscationpackage/src/entity.jsmatched "eval("3
lowObfuscationpackage/src/schema.jsmatched "eval("3
lowObfuscationpackage/src/util.jsmatched "Buffer.from(cursor, \"base64"3

Manifest

Package metadata

Scripts32
  • buildsh buildbrowser.sh
  • build:browserbrowserify playground/browser.js -o playground/bundle.js
  • coveragenpm run test:init:hard && nyc npm run test:unit && nyc report --reporter=text-lcov | coveralls
  • coverage:local:coverallsnpm run test:init:hard && nyc npm run test:unit && nyc report --reporter=text-lcov | coveralls
  • coverage:local:htmlnpm run test:init:hard && nyc npm run test:unit && nyc report --reporter=html
  • ddb:loaddocker compose exec electro npm run test:init:hard
  • ddb:startdocker compose up -d dynamodb
  • ddb:stopdocker compose stop
  • examples:load:librarynpm run ddb:start && npm run local:init && ts-node ./examples/library/load.ts
  • examples:load:taskmanagernpm run ddb:start && npm run local:init && ts-node ./examples/taskManager/load.ts
  • examples:load:versioncontrolnpm run ddb:start && npm run local:init && ts-node ./examples/versionControl/load.ts
  • examples:locksnpm run ddb:start && npm run local:init && ts-node ./examples/locks
  • examples:provisiontablenpm run ddb:start && npm run local:init && ts-node ./examples/provisionTable
  • examples:query:librarynpm run ddb:start && npm run local:init && ts-node ./examples/library/query.ts
  • examples:query:taskmanagernpm run ddb:start && npm run local:init && ts-node ./examples/taskManager/query.ts
  • examples:query:versioncontrolnpm run ddb:start && npm run local:init && ts-node ./examples/versionControl/query.ts
  • formatprettier -w src/**/*.js examples/**/* --log-level=error
  • local:debugnpm run local:start && npm run local:exec
  • local:execLOCAL_DYNAMO_ENDPOINT='http://localhost:8000' ts-node ./test/debug.ts
  • local:freshnpm run ddb:start && npm run local:init:hard
  • local:initLOCAL_DYNAMO_ENDPOINT='http://localhost:8000' npm run test:init
  • local:init:hardLOCAL_DYNAMO_ENDPOINT='http://localhost:8000' npm run test:init:hard
  • local:startnpm run ddb:start && npm run local:init
  • local:stopnpm run ddb:stop
  • test./test.sh
  • test:cinpm install && npm test
  • test:formatprettier -c src/**/*.js examples/**/*
  • test:initnode ./test/init.js
  • test:init:hardnode ./test/init.js --recreate
  • test:runnpm run test:types && npm run test:init && npm run test:unit
  • …and 2 more.
Dependencies3
  • @aws-sdk/lib-dynamodb^3.654.0
  • @aws-sdk/util-dynamodb^3.654.0
  • jsonschema1.2.7