PkgRadar

Package evidence

[email protected]

Credential file access: matched "npm_token"

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"high"}'
Publisherzimbora
Artifact bytes2,608,129
Previous version1.0.76
Published2026-05-24T10:18:01.254Z
SHA-256f3282e9394ba91645bcda7770f2dea374b5aa4cfebed284aecc8223395d8c077

Why flagged

What the scanner saw

Credential file access: matched "npm_token"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

high
Last checked
highRisk
78Score
1.0.77Version
Status history (1 event)
  1. newavailable · risk high · score 78 · status changed

Related candidates

Linked campaigns and clusters

Publisher / release actor burststale

zimbora

4 members · evidence strength 76

Evidence

Static findings

11 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
highCredential file accesspackage/.github/workflows/npm-publish.ymlmatched "npm_token"30
mediumObfuscation Densitypackage/server/public/assets/js/ace.jshigh encoded/escaped-token density12
mediumObfuscation Densitypackage/server/public/assets/js/ace.min.jshigh encoded/escaped-token density12
Show all 11 findings (low-signal and informational)
SeverityKindPathDetailPoints
highCredential file accesspackage/.github/workflows/npm-publish.ymlmatched "npm_token"30
mediumObfuscation Densitypackage/server/public/assets/js/ace.jshigh encoded/escaped-token density12
mediumObfuscation Densitypackage/server/public/assets/js/ace.min.jshigh encoded/escaped-token density12
lowObfuscationpackage/server/public/assets/js/ace.jsmatched "fromCharCode"3
lowObfuscationpackage/server/public/assets/js/ace.min.jsmatched "fromCharCode"3
lowObfuscationpackage/server/public/assets/js/dataTables.min.jsmatched "\\u2028"3
lowObfuscationpackage/server/public/assets/js/jquery-3.5.1.jsmatched "Eval("3
lowObfuscationpackage/server/public/assets/js/jquery.dataTables.min.jsmatched "\\u2028"3
lowObfuscationpackage/server/public/assets/js/jquery.min.jsmatched "\\x20"3
lowObfuscationpackage/server/public/lib/markdown.jsmatched "eval("3
lowObfuscationpackage/server/public/assets/js/mqttws31.min.jsmatched "fromCharCode"3

Manifest

Package metadata

Scripts1
  • testecho "Error: no test specified" && exit 0
Dependencies25
  • async^3.2.4
  • basic-ftp^5.0.5
  • body-parser^1.20.1
  • console-log-level^1.4.1
  • crc^4.3.2
  • crypto-js^4.1.1
  • ejs^3.1.10
  • express^4.18.2
  • express-fileupload^1.4.0
  • express-jwt^8.2.1
  • express-session^1.17.3
  • express-useragent^1.0.15
  • express-validation^4.1.0
  • ftp-srv^4.6.3
  • googleapis^110.0.0
  • http-status-codes^2.2.0
  • joi^17.7.0
  • markdown^0.5.0
  • moment^2.29.4
  • mqtt^4.3.7
  • multer^1.4.5-lts.1
  • mysql2^3.2.0
  • node-docker-api^1.1.22
  • path^0.12.7
  • serve-index^1.9.1