PkgRadar

Package evidence

[email protected]

Credential file access: matched ".aws/"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published
268Mature · −50% score
First published
Jun 2012
Publisher
rejetto

Effective trust discount applied: 50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Looks clean — keep monitoring

No high-signal indicators in the stored static report. PkgRadar will re-check on the next ingest pass.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"review"}'
Publisherrejetto
Artifact bytes1,078,049
Previous version3.1.5
Published2026-05-28T18:52:53.770Z
SHA-25624c6b45c3a217be71fde93c77b5cc8b57e81e27102f10e86a951251e04fd5afd

Why flagged

What the scanner saw

Credential file access: matched ".aws/"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

low
Last checked
lowRisk
0Score
3.1.7Version
Status history (1 event)
  1. newavailable · risk low · score 0 · status changed

Evidence

Static findings

3 static · 0 from release diff · showing high-signal first.

No high-signal findings — see all findings below.

Show all 3 findings (low-signal and informational)
SeverityKindPathDetailPoints
lowCredential file accesspackage/central.jsonmatched ".aws/"3
lowLarge Javascript Payloadpackage/admin/assets/index-BozjOyNh.js2000959 bytes0
lowObfuscation Densitypackage/npm-shrinkwrap.jsonhigh encoded/escaped-token density0

Manifest

Package metadata

Scripts31
  • build-adminnpm run build --workspace=admin
  • build-allrm -rf dist && npm run build-server && (npm run build-frontend & npm run build-admin) && echo COMPLETED
  • build-frontendnpm run build --workspace=frontend
  • build-serverrm -rf dist/src dist/plugins && npm i && tsc && touch package.json && cp -v -r package.json central.json README* LICENSE* hfs.ico plugins dist && find dist -name .DS_Store -o -name storage -exec rm -rf {} + && node scripts/afterbuild.js
  • distSTASHED=; if ! git diff-index --quiet HEAD --; then git stash push -m 'dist' && STASHED=1; fi; CI=1 FORCE_COLOR=1 npm run dist-uncommitted || (EXIT_CODE=$?; [ -n "$STASHED" ] && git stash pop; exit $EXIT_CODE); [ -n "$STASHED" ] && git stash pop
  • dist-binnpm run dist-modules && npm run dist-bin-win && npm run dist-bin-linux && npm run dist-bin-linux-arm && npm run dist-bin-mac && npm run dist-bin-mac-arm
  • dist-bin-linuxcd dist && pkg . --public -C gzip -t node20-linux-x64 && zip hfs-linux-x64-$(jq -r .version ../package.json).zip hfs -r plugins && cd ..
  • dist-bin-linux-armcd dist && pkg . --public -C gzip -t node20-linux-arm64 ${GITHUB_ACTIONS:+--public-packages "*"} && zip hfs-linux-arm64-$(jq -r .version ../package.json).zip hfs -r plugins && cd ..
  • dist-bin-maccd dist && pkg . --public -C gzip -t node20-macos-x64 && zip hfs-mac-x64-$(jq -r .version ../package.json).zip hfs -r plugins && cd ..
  • dist-bin-mac-armcd dist && pkg . --public -C gzip -t node20-macos-arm64 && zip hfs-mac-arm64-$(jq -r .version ../package.json).zip hfs -r plugins && cd ..
  • dist-bin-wincd dist && pkg . --public -C gzip -t node20-win-x64 && npx resedit-cli --in hfs.exe --icon 1,../hfs.ico --out hfs.exe && zip hfs-windows-x64-$(jq -r .version ../package.json).zip hfs.exe -r plugins && cd ..
  • dist-linuxnpm run dist-modules && npm run dist-bin-linux
  • dist-macnpm run dist-modules && npm run dist-bin-mac
  • dist-mac-armnpm run dist-modules && npm run dist-bin-mac-arm
  • dist-modulescp package.json central.json README.md dist && cd dist && npm pkg delete devDependencies workspaces && rm -rf node_modules && npm install --omit=dev && npm shrinkwrap && cd .. && node scripts/prune_modules.js
  • dist-nodenpm run dist-modules && cd dist && zip hfs-node-$(jq -r .version ../package.json).zip -r * -x *.zip *.exe hfs-* *.log logs
  • dist-uncommittednpm audit --omit=dev --audit-level=moderate && rm -rf dist && npm run build-server && npm run test-with-server && (npm run build-frontend & npm run build-admin) && npm run test-ui && npm run dist-bin
  • dist-winnpm run dist-modules && npm run dist-bin-win
  • port-is-freenode -e "const port=process.argv[1]||8081;process.exit(await fetch('http://localhost:'+port).then(() => console.log('BUSY')||1, () => 0))" --
  • pubcd dist && npm publish
  • server-for-testnode dist/src --cwd tests/work --config tests --debug
  • server-for-test-devcross-env DEV=1 FRONTEND_PROXY=3005 ADMIN_PROXY=3006 nodemon --ignore tests/ --watch src -e ts,tsx --exec tsx src -- --cwd tests/work --config tests
  • start-adminnpm run start --workspace=admin
  • start-frontendnpm run start --workspace=frontend
  • testnode --import tsx --test tests/test.ts
  • test-uinpm run port-is-free -- 8081 && rm -rf tests/work tests/work2 && npx playwright test frontend && npx playwright test serial && npx playwright test admin-vfs
  • test-with-serversh -c 'npm run port-is-free && tsc && rm -rf tests/work tests/tmp && (node dist/src --cwd tests/work --config tests & echo $! > .server_pid) && sleep 2 && node --import tsx --test "$@" tests/test.ts; _exit=$?; if [ -f ./.server_pid ]; then SERVER_PID=$(cat ./.server_pid); kill "$SERVER_PID" 2>/dev/null || true; rm -f ./.server_pid; fi; exit $_exit' --
  • test-with-uish -c 'npm run port-is-free -- 3005 && npm run start-frontend & npm run port-is-free -- 3006 && npm run start-admin & cross-env TEST_WITH_UI=1 npx playwright test --ui "$@"' --
  • watch-servercross-env DEV=1 nodemon --ignore tests/ --watch src -e ts,tsx --exec tsx src
  • watch-server-fullnpm run start --workspace=frontend & npm run start --workspace=admin & cross-env FRONTEND_PROXY=3005 ADMIN_PROXY=3006 npm run watch-server
  • …and 1 more.
Dependencies30
  • @gregoranders/csv^0.0.13
  • @rejetto/kvstorage^0.17.7
  • @rejetto/nat-upnp^2.1.4
  • acme-client^5.4.0
  • busboy^1.6.0
  • crc-32^1.2.2
  • fast-glob^3.3.3
  • fast-xml-parser^5.4.2
  • find-process^2.0.0
  • fs-x-attributes^1.0.2
  • fswin^3.24.829
  • iconv-lite^0.7.0
  • immer^10.1.3
  • ip2location-nodejs^9.7.0
  • koa^3.1.2
  • koa-compress^5.2.0
  • koa-mount^4.2.0
  • koa-session^7.0.2
  • limiter^3.0.0
  • lodash^4.17.21
  • mime-types*
  • minimist^1.2.8
  • node-forge^1.3.1
  • open^8.4.0
  • picomatch^4.0.3
  • tssrp6a^3.0.0
  • unzip-stream^0.3.4
  • valtio^1.13.2
  • xxhashjs^0.2.2
  • yaml^2.8.1