Recommended action
Block this updateStatic evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"high"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"high"}'Why flagged
What the scanner saw
Credential file access: matched "AWS_ACCESS_KEY"
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk high · score 315 · status changed
Related candidates
Linked campaigns and clusters
deangeeker
2 members · evidence strength 64Evidence
Static findings
27 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | Credential file access | package/src/cli/cmd/auth.ts | matched "AWS_ACCESS_KEY" | 30 |
| high | Credential file access | package/src/mcp/git-github.ts | matched "GITHUB_TOKEN" | 30 |
| high | Credential file access | package/src/cli/cmd/github.ts | matched "GITHUB_TOKEN" | 30 |
| high | Credential file access | package/src/bun/index.ts | matched ".npmrc" | 30 |
| high | Credential file access | package/src/skill/manage.ts | matched "GITHUB_TOKEN" | 30 |
| high | Credential file access | package/src/cli/cmd/mcp.ts | matched "GITHUB_TOKEN" | 30 |
| high | Credential file access | package/src/provider/provider.ts | matched ".azure" | 30 |
| medium | Remote Payload | package/src/runtime/exec-policy.ts | matched "Invoke-WebRequest" | 12 |
| medium | Remote Payload | package/src/installation/index.ts | matched "curl " | 12 |
| medium | Remote Payload | package/parsers-config.ts | matched "github.com/tree-sitter/tree-sitter-python/releases/download" | 12 |
| medium | Remote Payload | package/src/file/ripgrep.ts | matched "github.com/BurntSushi/ripgrep/releases/download" | 12 |
| medium | Remote Payload | package/src/lsp/server.ts | matched "curl " | 12 |
Show all 27 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | Credential file access | package/src/cli/cmd/auth.ts | matched "AWS_ACCESS_KEY" | 30 |
| high | Credential file access | package/src/mcp/git-github.ts | matched "GITHUB_TOKEN" | 30 |
| high | Credential file access | package/src/cli/cmd/github.ts | matched "GITHUB_TOKEN" | 30 |
| high | Credential file access | package/src/bun/index.ts | matched ".npmrc" | 30 |
| high | Credential file access | package/src/skill/manage.ts | matched "GITHUB_TOKEN" | 30 |
| high | Credential file access | package/src/cli/cmd/mcp.ts | matched "GITHUB_TOKEN" | 30 |
| high | Credential file access | package/src/provider/provider.ts | matched ".azure" | 30 |
| medium | Remote Payload | package/src/runtime/exec-policy.ts | matched "Invoke-WebRequest" | 12 |
| medium | Remote Payload | package/src/installation/index.ts | matched "curl " | 12 |
| medium | Remote Payload | package/parsers-config.ts | matched "github.com/tree-sitter/tree-sitter-python/releases/download" | 12 |
| medium | Remote Payload | package/src/file/ripgrep.ts | matched "github.com/BurntSushi/ripgrep/releases/download" | 12 |
| medium | Remote Payload | package/src/lsp/server.ts | matched "curl " | 12 |
| low | Obfuscation | package/script/postinstall.mjs | matched "\\x1b" | 3 |
| low | Obfuscation | package/src/acp/agent.ts | matched "Buffer.from(base64Data, \"base64" | 3 |
| low | Obfuscation | package/src/tool/analysis-grounding.ts | matched "\\uFEFF" | 3 |
| low | Obfuscation | package/src/tool/analysis-state.ts | matched "\\x00" | 3 |
| low | Obfuscation | package/src/cli/cmd/tui/util/clipboard.ts | matched "\\x1b" | 3 |
| low | Obfuscation | package/src/plugin/codex.ts | matched "fromCharCode" | 3 |
| low | Obfuscation | package/src/util/color.ts | matched "\\x1b" | 3 |
| low | Obfuscation | package/src/tool/data-import.ts | matched "\\x00" | 3 |
| low | Obfuscation | package/src/tool/econometrics.ts | matched "\\x00" | 3 |
| low | Obfuscation | package/src/patch/index.ts | matched "\\u2018" | 3 |
| low | Obfuscation | package/src/session/prompt.ts | matched "Buffer.from(part.url, \"base64" | 3 |
| low | Obfuscation | package/src/cli/cmd/stats.ts | matched "\\x1B" | 3 |
| low | Obfuscation | package/src/cli/cmd/tui/util/terminal.ts | matched "\\x1b" | 3 |
| low | Obfuscation | package/src/cli/ui.ts | matched "\\x1b" | 3 |
| low | Obfuscation | package/src/runtime/workflow-locale.ts | matched "\\u3400" | 3 |
Manifest
Package metadata
Scripts17
buildbun run script/build.tsbuild:windows-prioritybun run script/build.ts --windows-prioritycleanecho 'Cleaning up...' && rm -rf node_modules distdeployecho 'Deploying application...' && bun run build && echo 'Deployment completed successfully'devBROWSERSLIST_IGNORE_OLD_DATA=1 bun run --conditions=browser ./src/index.tsdocsecho 'Generating documentation...' && find src -name '*.ts' -exec echo 'Processing: {}' \;formatecho 'Formatting code...' && bun run --prettier --write src/**/*.tslintecho 'Running lint checks...' && bun test --coveragepack:publishbun run script/publish.ts --pack-onlypack:publish:windowsbun run script/publish.ts --pack-only --windows-prioritypack:publish:windows:latestbun run pack:publish:windowspublish:windowsbun run script/publish.ts --windows-prioritypublish:windows:latestbun run publish:windowsrandomecho 'Random script updated at $(date)' && echo 'Change queued successfully' && echo 'Another change made' && echo 'Yet another change' && echo 'One more change' && echo 'Final change' && echo 'Another final change' && echo 'Yet another final change'release:windows:latestbun run script/release-windows.tstestbun testtypechecktsgo --noEmit
Dependencies72
@actions/core1.11.1@actions/github6.0.1@agentclientprotocol/sdk0.12.0@ai-sdk/amazon-bedrock3.0.73@ai-sdk/anthropic2.0.57@ai-sdk/azure2.0.91@ai-sdk/cerebras1.0.34@ai-sdk/cohere2.0.22@ai-sdk/deepinfra1.0.31@ai-sdk/gateway2.0.25@ai-sdk/google2.0.52@ai-sdk/google-vertex3.0.97@ai-sdk/groq2.0.34@ai-sdk/mistral2.0.27@ai-sdk/openai2.0.89@ai-sdk/openai-compatible1.0.30@ai-sdk/perplexity2.0.23@ai-sdk/provider2.0.1@ai-sdk/provider-utils3.0.20@ai-sdk/togetherai1.0.31@ai-sdk/vercel1.0.31@ai-sdk/xai2.0.51@clack/prompts1.0.0-alpha.1@gitlab/gitlab-ai-provider3.1.3@hono/standard-validator0.1.5@hono/zod-validatorcatalog:@killstata/pluginworkspace:*@killstata/scriptworkspace:*@killstata/sdkworkspace:*@killstata/utilworkspace:*- …and 42 more.