Package evidence

garak==0.15.1

Credential file access: matched "GOOGLE_APPLICATION_CREDENTIALS"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published: 38Mature · −50% score
First published: Jun 2023
Publisher: nv052193, Mads Kongsbak, Tianhao Li, Phyllis Poh, Razvan Dinu, Zander Mackie, Greg Stephens, Ahsan Ayub, Jonathan Liberman, Gustav Fredrikson, Oh Tien Cheng, Brain John, Naman Mishra, Soumili Nandi, Arjun Krishna, Mihailo Milenkovic, Kai Greshake, Martin Borup-Larsen, Emmanuel Ferdman, Eric Therond, Zoe Nolan, Harsh Raj, Shine-afk, Rafael Sandroni, Eric Hacker, Blessed Uyo, Ikko Eltociear Ashimine, iamnotcj, Dwight Temple, Shane Rosse, Masaya Ogushi, Viktor T. Zetterberg, Erwan Roussel, Matthew Rowe, Aishwarya Padmakumar, Marco Rosa, Ian Chu, Mike McKiernan, Divya Chitimalla, Katherine Luna, Dave Baker, Jack Kelly, Amrit Prakash, Cássia Sampaio, Nakul Rajpal, Noah Oeksuez, Dhruv Malik, Patricia Pampanelli, Joseph Davis Chamdani, Rob Geada, Ashish RajAnand, Paulina Kalicka, Gal Moshkovitz, Jack Smith, Paul A. Parkanzky, Leif Hancox-Li, Fabrizio Rocco, Sai Chandra Pandraju, Harish Kolla, Snehal Vartak, Abhiraj Sinha, Harsh Motla, Otavio Padovani, Siddhant Mishra, dyrtyData, Leone Lage Perdigão, Lucas Wang, Ian Miller, Edward Kim, Raina O'Sullivan, Christ Bowel Bouchuen, Hayato Fujihara, precognitivem0nk, Jacob J. lee, Eliya Cohen, Nathan Maine, Boao Dong, zw5, Musaab Hasan, Stefano Amorelli, Chris Southerland Jr., Lane Poole, Aditya Singh, Pradyoth Prashanth, Oleksandr Sanin, Varun Jakkula, Kyle Zang, Minh Vu

Effective trust discount applied: −50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["garak==0.15.1"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["garak==0.15.1"],"fail_on":"review"}'

Publishernv052193, Mads Kongsbak, Tianhao Li, Phyllis Poh, Razvan Dinu, Zander Mackie, Greg Stephens, Ahsan Ayub, Jonathan Liberman, Gustav Fredrikson, Oh Tien Cheng, Brain John, Naman Mishra, Soumili Nandi, Arjun Krishna, Mihailo Milenkovic, Kai Greshake, Martin Borup-Larsen, Emmanuel Ferdman, Eric Therond, Zoe Nolan, Harsh Raj, Shine-afk, Rafael Sandroni, Eric Hacker, Blessed Uyo, Ikko Eltociear Ashimine, iamnotcj, Dwight Temple, Shane Rosse, Masaya Ogushi, Viktor T. Zetterberg, Erwan Roussel, Matthew Rowe, Aishwarya Padmakumar, Marco Rosa, Ian Chu, Mike McKiernan, Divya Chitimalla, Katherine Luna, Dave Baker, Jack Kelly, Amrit Prakash, Cássia Sampaio, Nakul Rajpal, Noah Oeksuez, Dhruv Malik, Patricia Pampanelli, Joseph Davis Chamdani, Rob Geada, Ashish RajAnand, Paulina Kalicka, Gal Moshkovitz, Jack Smith, Paul A. Parkanzky, Leif Hancox-Li, Fabrizio Rocco, Sai Chandra Pandraju, Harish Kolla, Snehal Vartak, Abhiraj Sinha, Harsh Motla, Otavio Padovani, Siddhant Mishra, dyrtyData, Leone Lage Perdigão, Lucas Wang, Ian Miller, Edward Kim, Raina O'Sullivan, Christ Bowel Bouchuen, Hayato Fujihara, precognitivem0nk, Jacob J. lee, Eliya Cohen, Nathan Maine, Boao Dong, zw5, Musaab Hasan, Stefano Amorelli, Chris Southerland Jr., Lane Poole, Aditya Singh, Pradyoth Prashanth, Oleksandr Sanin, Varun Jakkula, Kyle Zang, Minh Vu

Artifact bytes2,721,859

Previous versionnone

Published2026-06-05T17:25:27

SHA-2562f0aa66c705d49c9b18ce96012d2f730242d8d75257e4af02d9f4a0a41fe205f

Why flagged

What the scanner saw

Credential file access: matched "GOOGLE_APPLICATION_CREDENTIALS"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review

4h agoLast checked

reviewRisk

7Score

0.15.1Version

Status history (1 event)

new → available4h ago · risk review · score 7 · status changed

Evidence

Static findings

3 static · 0 from release diff · showing high-signal first.

No high-signal findings — see all findings below.

Show all 3 findings (low-signal and informational)

Severity	Kind	Path	Detail	Points
low	Credential file access	garak-0.15.1/garak/langproviders/remote.py	matched "GOOGLE_APPLICATION_CREDENTIALS"	5
low	Credential file access	garak-0.15.1/garak/resources/apikey/regexes.py	matched "aws_access_key"	5
low	Credential file access	garak-0.15.1/tools/propile/extract_pii_from_training_dataset.py	matched "AWS_ACCESS_KEY"	5