PkgRadar

Package evidence

[email protected]

Credential file access: matched "AWS_ACCESS_KEY"

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"high"}'
Publisherpyramation
Artifact bytes57,582
Previous version5.2.4
Published2026-05-23T03:02:14.009Z
SHA-2565756a196aec3bcd5444928fcd1e17f8a8525bd609fe12fde20640438122c0b46

Why flagged

What the scanner saw

Credential file access: matched "AWS_ACCESS_KEY"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

high
Last checked
highRisk
180Score
5.3.0Version
Status history (1 event)
  1. newavailable · risk high · score 180 · status changed

Related candidates

Linked campaigns and clusters

Publisher / release actor burststale

pyramation

14 members · evidence strength 84
Repeated static TTPstale

Credential file access — matched "AWS_ACCESS_KEY"

132 members · evidence strength 90

Evidence

Static findings

6 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
highCredential file accesspackage/bucket-provisioner-resolver.jsmatched "AWS_ACCESS_KEY"30
highCredential file accesspackage/esm/bucket-provisioner-resolver.jsmatched "AWS_ACCESS_KEY"30
highCredential file accesspackage/esm/presigned-url-resolver.jsmatched "AWS_ACCESS_KEY"30
highCredential file accesspackage/presigned-url-resolver.jsmatched "AWS_ACCESS_KEY"30
highCredential file accesspackage/esm/upload-resolver.jsmatched "AWS_ACCESS_KEY"30
highCredential file accesspackage/upload-resolver.jsmatched "AWS_ACCESS_KEY"30

Manifest

Package metadata

Scripts7
  • buildmakage build
  • build:devmakage build --dev
  • cleanmakage clean
  • linteslint . --fix
  • prepacknpm run build
  • testjest
  • test:watchjest --watch
Dependencies41
  • @aws-sdk/client-s3^3.1052.0
  • @constructive-io/bucket-provisioner^0.11.1
  • @constructive-io/graphql-env^3.12.0
  • @constructive-io/graphql-types^3.11.0
  • @constructive-io/s3-streamer^2.25.0
  • @constructive-io/s3-utils^2.17.1
  • @constructive-io/upload-names^2.16.0
  • @dataplan/json1.0.0
  • @dataplan/pg1.0.3
  • @graphile-contrib/pg-many-to-many2.0.0-rc.2
  • @pgpmjs/logger^2.11.0
  • @pgpmjs/types^2.28.0
  • @pgsql/quotes^17.1.0
  • cors^2.8.6
  • express^5.2.1
  • grafast1.0.2
  • grafserv1.0.0
  • graphile-bucket-provisioner-plugin0.11.1
  • graphile-build5.0.2
  • graphile-build-pg5.0.2
  • graphile-bulk-mutations^0.4.0
  • graphile-config1.0.1
  • graphile-connection-filter^1.11.0
  • graphile-ltree^1.8.0
  • graphile-pg-aggregates^1.4.0
  • graphile-postgis^2.17.0
  • graphile-presigned-url-plugin^0.19.1
  • graphile-realtime-subscriptions^0.7.1
  • graphile-search^1.14.0
  • graphile-sql-expression-validator^2.13.1
  • …and 11 more.