Package evidence

[email protected]

Credential file access: matched ".aws"

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"high"}'

Publisherrejetto

Artifact bytes1,187,880

Previous version3.2.0-beta2

Published2026-05-24T08:03:08.595Z

SHA-2565304ccb13b8db79c8892b62d3a13f07a9246b8ac19b1468dd3d9843a885716f4

Why flagged

What the scanner saw

Credential file access: matched ".aws"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

high

24d agoLast checked

highRisk

130Score

3.2.0-beta3Version

Status history (1 event)

new → available24d ago · risk high · score 130 · status changed

Related candidates

Linked campaigns and clusters

Publisher / release actor burststale

rejetto

2 members · evidence strength 64

Evidence

Static findings

14 static · 0 from release diff · showing high-signal first.

Severity	Kind	Path	Detail	Points
high	Credential file access	package/central.json	matched ".aws"	30
medium	Remote Payload	package/src/api.vfs.js	matched "Invoke-WebRequest"	12
medium	Remote Payload	package/src/github.js	matched "raw.githubusercontent.com"	12
medium	Obfuscation Density	package/frontend/assets/index-legacy-CU5HXdA4.js	high encoded/escaped-token density	12
medium	Remote Payload	package/src/listen.js	matched "curl "	12
medium	Remote Payload	package/src/serveGuiAndSharedFiles.js	matched "curl "	12
medium	Obfuscation Density	package/npm-shrinkwrap.json	high encoded/escaped-token density	12
medium	Large Javascript Payload	package/admin/assets/index-vGnRRM8b.js	2088144 bytes	10

Show all 14 findings (low-signal and informational)

Severity	Kind	Path	Detail	Points
high	Credential file access	package/central.json	matched ".aws"	30
medium	Remote Payload	package/src/api.vfs.js	matched "Invoke-WebRequest"	12
medium	Remote Payload	package/src/github.js	matched "raw.githubusercontent.com"	12
medium	Obfuscation Density	package/frontend/assets/index-legacy-CU5HXdA4.js	high encoded/escaped-token density	12
medium	Remote Payload	package/src/listen.js	matched "curl "	12
medium	Remote Payload	package/src/serveGuiAndSharedFiles.js	matched "curl "	12
medium	Obfuscation Density	package/npm-shrinkwrap.json	high encoded/escaped-token density	12
medium	Large Javascript Payload	package/admin/assets/index-vGnRRM8b.js	2088144 bytes	10
low	Obfuscation	package/src/cross-const.js	matched "\\xA0"	3
low	Obfuscation	package/src/cross.js	matched "\\u0000"	3
low	Obfuscation	package/frontend/assets/index-legacy-CU5HXdA4.js	matched "\\x00"	3
low	Obfuscation	package/src/middlewares.js	matched "atob("	3
low	Obfuscation	package/src/util-files.js	matched "\\u0000"	3
low	Obfuscation	package/src/util-http.js	matched "\\u0000"	3

Manifest

Package metadata

Scripts31

build-adminnpm run build --workspace=admin
build-allrm -rf dist && npm run build-server && (npm run build-frontend & npm run build-admin) && echo COMPLETED
build-frontendnpm run build --workspace=frontend
build-serverrm -rf dist/src dist/plugins && npm i && tsc && touch package.json && cp -v -r package.json central.json README* LICENSE* hfs.ico plugins dist && find dist -name .DS_Store -o -name storage -exec rm -rf {} + && node scripts/afterbuild.js
distSTASHED=; if ! git diff-index --quiet HEAD --; then git stash push -m 'dist' && STASHED=1; fi; CI=1 FORCE_COLOR=1 npm run dist-uncommitted || (EXIT_CODE=$?; [ -n "$STASHED" ] && git stash pop; exit $EXIT_CODE); [ -n "$STASHED" ] && git stash pop
dist-binnpm run dist-modules && npm run dist-bin-win && npm run dist-bin-linux && npm run dist-bin-linux-arm && npm run dist-bin-mac && npm run dist-bin-mac-arm
dist-bin-linuxcd dist && pkg . --public -C gzip -t node24-linux-x64 && zip hfs-linux-x64-$(jq -r .version ../package.json).zip hfs -r plugins && cd ..
dist-bin-linux-armcd dist && pkg . --public -C gzip -t node24-linux-arm64 ${GITHUB_ACTIONS:+--public-packages "*"} && zip hfs-linux-arm64-$(jq -r .version ../package.json).zip hfs -r plugins && cd ..
dist-bin-maccd dist && pkg . --public -C gzip -t node24-macos-x64 && zip hfs-mac-x64-$(jq -r .version ../package.json).zip hfs -r plugins && cd ..
dist-bin-mac-armcd dist && pkg . --public -C gzip -t node24-macos-arm64 && zip hfs-mac-arm64-$(jq -r .version ../package.json).zip hfs -r plugins && cd ..
dist-bin-wincd dist && pkg . --public -C gzip -t node24-win-x64 && npx resedit-cli --in hfs.exe --icon 1,../hfs.ico --out hfs.exe && zip hfs-windows-x64-$(jq -r .version ../package.json).zip hfs.exe -r plugins && cd ..
dist-linuxnpm run dist-modules && npm run dist-bin-linux
dist-macnpm run dist-modules && npm run dist-bin-mac
dist-mac-armnpm run dist-modules && npm run dist-bin-mac-arm
dist-modulescp package.json central.json README.md dist && cd dist && npm pkg delete devDependencies workspaces scripts.postinstall && rm -rf node_modules && npm install --omit=dev && npm shrinkwrap && cd .. && node scripts/prune_modules.js
dist-nodenpm run dist-modules && cd dist && zip hfs-node-$(jq -r .version ../package.json).zip -r * -x *.zip *.exe hfs-* *.log logs
dist-uncommittednpm audit --omit=dev --audit-level=moderate && rm -rf dist && npm run build-server && npm run test-with-server && (npm run build-frontend & npm run build-admin) && npm run test-ui && npm run dist-bin
dist-winnpm run dist-modules && npm run dist-bin-win
port-is-freenode -e "const port=process.argv[1]||8081;process.exit(await fetch('http://localhost:'+port).then(() => console.log('BUSY')||1, () => 0))" --
pubcd dist && npm publish
server-for-testmkdir -p tests/work && cp tests/config.yaml tests/work/config.yaml && node dist/src --cwd tests/work --config tests/work/config.yaml --debug
server-for-test-devcross-env DEV=1 FRONTEND_PROXY=3005 ADMIN_PROXY=3006 nodemon --ignore tests/ --watch src -e ts,tsx --exec tsx src -- --cwd tests/work --config tests
start-adminnpm run start --workspace=admin
start-frontendnpm run start --workspace=frontend
testsh -c 'npm run port-is-free >/dev/null && { echo "no server"; exit 1; }; node --import tsx --test "$@" tests/test.ts' --
test-uinpm run port-is-free -- 8081 && rm -rf tests/work tests/work2 && npx playwright test frontend && npx playwright test serial && npx playwright test admin-vfs
test-with-serversh -c 'npm run port-is-free && tsc && rm -rf tests/work tests/tmp && mkdir -p tests/work && cp tests/config.yaml tests/work/config.yaml && (node dist/src --cwd tests/work --config tests/work/config.yaml & echo $! > .server_pid) && sleep 2 && node --import tsx --test "$@" tests/test.ts; _exit=$?; if [ -f ./.server_pid ]; then SERVER_PID=$(cat ./.server_pid); kill "$SERVER_PID" 2>/dev/null || true; rm -f ./.server_pid; fi; exit $_exit' --
test-with-uish -c 'npm run port-is-free -- 3005 && npm run start-frontend & npm run port-is-free -- 3006 && npm run start-admin & cross-env TEST_WITH_UI=1 npx playwright test --ui "$@"' --
watch-servercross-env DEV=1 nodemon --ignore tests/ --watch src -e ts,tsx --exec tsx src
watch-server-fullnpm run start --workspace=frontend & npm run start --workspace=admin & cross-env FRONTEND_PROXY=3005 ADMIN_PROXY=3006 npm run watch-server
…and 1 more.

Dependencies30

@gregoranders/csv^0.0.13
@rejetto/kvstorage^0.17.7
@rejetto/nat-upnp^2.1.4
acme-client^5.4.0
busboy^1.6.0
crc-32^1.2.2
fast-glob^3.3.3
fast-xml-parser^5.4.2
find-process^2.0.0
fs-x-attributes^1.0.2
fswin^3.24.829
iconv-lite^0.7.0
ip2location-nodejs^9.7.0
koa^3.1.2
koa-compress^5.2.0
koa-mount^4.2.0
koa-session^7.0.2
limiter^3.0.0
lodash^4.17.21
mime-types*
minimist^1.2.8
node-forge^1.3.1
open^8.4.0
picomatch^4.0.3
tssrp6a^3.0.0
unzipper^0.12.3
valtio^1.13.2
xxhashjs^0.2.2
yaml^2.8.1
yazl^3.3.1