PkgRadar

Package evidence

[email protected]

Credential file access: matched "GITHUB_TOKEN"

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"high"}'
Publisherswoofer
Artifact bytes336,471
Previous version0.12.0
Published2026-05-24T11:26:42.877Z
SHA-2567def934eeca7ab04a326e31490f100764395d070ae97218daf9d1c1b7d2f31c4

Why flagged

What the scanner saw

Credential file access: matched "GITHUB_TOKEN"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

high
Last checked
highRisk
141Score
0.13.0Version
Status history (1 event)
  1. newavailable · risk high · score 141 · status changed

Related candidates

Linked campaigns and clusters

Publisher / release actor burststale

swoofer

4 members · evidence strength 81

Evidence

Static findings

14 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
highCredential file accesspackage/dist/cli/server/start.jsmatched "GITHUB_TOKEN"30
mediumRemote Payloadpackage/dist/src/auth.jsmatched "cUrl "12
mediumRemote Payloadpackage/dist/src/boot.jsmatched "cUrl "12
mediumRemote Payloadpackage/dist/src/auth/device-flow.jsmatched "cUrl\n "12
mediumRemote Payloadpackage/dist/src/discovery.jsmatched "cUrl "12
mediumRemote Payloadpackage/dist/cli/doctor.jsmatched "cUrl "12
mediumRemote Payloadpackage/dist/cli/init.jsmatched "cUrl "12
mediumRemote Payloadpackage/dist/src/auth/oauth-login.jsmatched "cUrl "12
mediumRemote Payloadpackage/dist/src/auth/refresh-rotation.jsmatched "cUrl "12
Show all 14 findings (low-signal and informational)
SeverityKindPathDetailPoints
highCredential file accesspackage/dist/cli/server/start.jsmatched "GITHUB_TOKEN"30
mediumRemote Payloadpackage/dist/src/auth.jsmatched "cUrl "12
mediumRemote Payloadpackage/dist/src/boot.jsmatched "cUrl "12
mediumRemote Payloadpackage/dist/src/auth/device-flow.jsmatched "cUrl\n "12
mediumRemote Payloadpackage/dist/src/discovery.jsmatched "cUrl "12
mediumRemote Payloadpackage/dist/cli/doctor.jsmatched "cUrl "12
mediumRemote Payloadpackage/dist/cli/init.jsmatched "cUrl "12
mediumRemote Payloadpackage/dist/src/auth/oauth-login.jsmatched "cUrl "12
mediumRemote Payloadpackage/dist/src/auth/refresh-rotation.jsmatched "cUrl "12
lowObfuscationpackage/dist/src/auth/audit-helpers.jsmatched "\\x00"3
lowObfuscationpackage/dist/src/auth/login-lockout.jsmatched "\\x00"3
lowObfuscationpackage/dist/src/serve-http.jsmatched "Buffer.from(base64url, \"base64"3
lowObfuscationpackage/dist/src/http/utils.jsmatched "Buffer.from(base64url, \"base64"3
lowObfuscationpackage/dist/src/admin/validate.jsmatched "\\x00"3

Manifest

Package metadata

Scripts13
  • buildtsc
  • chaos:audittsx tests/perf/chaos/audit-queue-overflow.ts
  • chaos:idptsx tests/perf/chaos/idp-failure-injection.ts
  • clitsx cli/index.ts
  • devtsx src/serve-http.ts
  • dev:stdiotsx src/index.ts
  • perf:audittsx tests/perf/bench-audit-queue.ts
  • perf:rotationtsx tests/perf/bench-refresh-rotation.ts
  • perf:token-epochtsx tests/perf/bench-token-epoch.ts
  • startnode dist/src/serve-http.js
  • testvitest run
  • test:e2eplaywright test
  • test:watchvitest
Dependencies13
  • @modelcontextprotocol/sdk^1.12.0
  • aedes^1.0.2
  • better-sqlite3^12.8.0
  • commander^14.0.3
  • cookie^1.0.2
  • jose^6.2.2
  • lru-cache^11.0.2
  • mqtt^5.15.0
  • pino^10.3.1
  • prom-client^15.1.3
  • tar^7.4.3
  • ws^8.20.0
  • zod^3.23.0
Optional dependencies15
  • tree-sitter^0.21.1
  • tree-sitter-bash^0.21.0
  • tree-sitter-c^0.21.0
  • tree-sitter-c-sharp^0.21.3
  • tree-sitter-cpp^0.22.0
  • tree-sitter-go^0.21.0
  • tree-sitter-java^0.21.0
  • tree-sitter-javascript^0.21.4
  • tree-sitter-kotlin^0.3.0
  • tree-sitter-php^0.22.0
  • tree-sitter-python^0.21.0
  • tree-sitter-ruby^0.21.0
  • tree-sitter-rust^0.21.0
  • tree-sitter-swift^0.6.0
  • tree-sitter-typescript^0.21.2