Package evidence

[email protected]

Credential File Packaged: package/templates/backend/.env

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"high"}'

Publisherbilyv

Artifact bytes123,672

Previous version0.1.1

Published2026-05-24T07:55:24.905Z

SHA-256ef367e56fff697eac1b7fd8ab5a39ee5fd841acdf835e7402633a42a1e74acaa

Why flagged

What the scanner saw

Credential File Packaged: package/templates/backend/.env

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

high

22d agoLast checked

highRisk

107Score

0.1.2Version

Status history (1 event)

new → available22d ago · risk high · score 107 · status changed

Related candidates

Linked campaigns and clusters

Publisher / release actor burststale

bilyv

3 members · evidence strength 77

Evidence

Static findings

19 static · 0 from release diff · showing high-signal first.

Severity	Kind	Path	Detail	Points
high	Credential File Packaged	package/templates/backend/.env	package/templates/backend/.env	35
medium	Obfuscation Density	package/templates/backend/package-lock.json	high encoded/escaped-token density	12
medium	Obfuscation Density	package/templates/frontend/package-lock.json	high encoded/escaped-token density	12

Show all 19 findings (low-signal and informational)

Severity	Kind	Path	Detail	Points
high	Credential File Packaged	package/templates/backend/.env	package/templates/backend/.env	35
medium	Obfuscation Density	package/templates/backend/package-lock.json	high encoded/escaped-token density	12
medium	Obfuscation Density	package/templates/frontend/package-lock.json	high encoded/escaped-token density	12
low	Obfuscation	package/dist/commands/activate.js	matched "\\u2714"	3
low	Obfuscation	package/dist/commands/add.js	matched "\\u2716"	3
low	Obfuscation	package/dist/ui/banner.js	matched "\\u2500"	3
low	Obfuscation	package/dist/ui/colors.js	matched "\\x1b"	3
low	Obfuscation	package/dist/ui/column-editor.js	matched "\\x1b"	3
low	Obfuscation	package/dist/license/crypto.js	matched "Buffer.from(value, \"base64"	3
low	Obfuscation	package/dist/commands/design.js	matched "\\u2716"	3
low	Obfuscation	package/dist/index.js	matched "\\u2716"	3
low	Obfuscation	package/dist/generators/migration.js	matched "\\u2714"	3
low	Obfuscation	package/dist/commands/repl.js	matched "\\x1b"	3
low	Obfuscation	package/templates/backend/src/server.js	matched "\\x1b"	3
low	Obfuscation	package/dist/commands/setup.js	matched "\\u2500"	3
low	Obfuscation	package/dist/ui/spinner.js	matched "\\u280b"	3
low	Obfuscation	package/dist/ai/styler.js	matched "\\u2716"	3
low	Obfuscation	package/dist/ui/template-picker.js	matched "\\u2600"	3
low	Obfuscation	package/dist/commands/update.js	matched "\\u2713"	3

Manifest

Package metadata

Scripts3

devconcurrently -n be,fe -c blue,green "npm run dev --prefix {{backendFolder}}" "npm run dev --prefix {{frontendFolder}}"
dev:backendnpm run dev --prefix {{backendFolder}}
dev:frontendnpm run dev --prefix {{frontendFolder}}