Recommended action
Block this updateStatic evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"high"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"high"}'Why flagged
What the scanner saw
Credential file access: matched "id_rsa"
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk high · score 97 · status changed
Related candidates
Linked campaigns and clusters
nicefox
2 members · evidence strength 63Evidence
Static findings
14 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | Credential file access | package/dist/chunk-UEZDAB5X.js | matched "id_rsa" | 30 |
| medium | Obfuscation Density | package/dist/web/assets/index-CdF408Qk.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/provider-LDZFYLK6.js | high encoded/escaped-token density | 12 |
| medium | Remote Payload | package/dist/pwa-76XP2DY2.js | matched "curl " | 12 |
Show all 14 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | Credential file access | package/dist/chunk-UEZDAB5X.js | matched "id_rsa" | 30 |
| medium | Obfuscation Density | package/dist/web/assets/index-CdF408Qk.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/provider-LDZFYLK6.js | high encoded/escaped-token density | 12 |
| medium | Remote Payload | package/dist/pwa-76XP2DY2.js | matched "curl " | 12 |
| low | Install-time lifecycle script | package.json | prepare="husky" | 4 |
| low | Obfuscation | package/dist/chunk-7WHJUQ4Y.js | matched "\\u2713" | 3 |
| low | Obfuscation | package/dist/chunk-DF5BZBP6.js | matched "\\u2192" | 3 |
| low | Obfuscation | package/dist/chunk-UEZDAB5X.js | matched "\\u2014" | 3 |
| low | Obfuscation | package/dist/chunk-ZORPFD4C.js | matched "Buffer.from(encryptedPassword, \"base64" | 3 |
| low | Obfuscation | package/dist/web/assets/html2canvas.esm-QH1iLAAe.js | matched "fromCharCode" | 3 |
| low | Obfuscation | package/dist/web/assets/index-CdF408Qk.js | matched "\\u00C0" | 3 |
| low | Obfuscation | package/dist/provider-LDZFYLK6.js | matched "\\u26A0" | 3 |
| low | Obfuscation | package/dist/serve-YO7HQKUD.js | matched "\\u26A0" | 3 |
| low | Obfuscation | package/dist/service-TU4XSXYJ.js | matched "\\u2713" | 3 |
Manifest
Package metadata
Scripts32
buildFORCE_COLOR=1 npm run build:server && FORCE_COLOR=1 npm run build:webbuild:serverFORCE_COLOR=1 tsup && mkdir -p dist/command-defaults dist/skill-defaults dist/agent-defaults dist/workflow-defaults && cp src/server/commands/defaults/*.md dist/command-defaults/ && cp src/server/skills/defaults/*.md dist/skill-defaults/ && cp src/server/agents/defaults/*.md dist/agent-defaults/ && cp src/server/workflows/defaults/*.json dist/workflow-defaults/ && cp src/cli/update.sh dist/cli/ && chmod +x dist/cli/update.sh && cp package.json dist/ && cp -r src/server/public dist/server/build:webcd web && FORCE_COLOR=1 vite build --outDir ../dist/webchecknpm run typecheck && npm run lint && npm run format && npm run duplicatecleanrm -rf distdevOPENFOX_DEV=true tsx watch src/cli/dev.ts --no-browserdev:webvite --config web/vite.config.tsduplicatenpm run duplicate:server && npm run duplicate:webduplicate:serverjscpd src/server/ --ignore '**/*.test.ts' --threshold 0duplicate:webjscpd web/src/ --config .jscpd-web.json --threshold 0formatprettier --check 'src/**/*.ts'format:fixprettier --write 'src/**/*.ts'linteslint src/ web/src/lint:fixeslint src/ --fixpatchHUSKY=0 npm version patchpreparehuskyprepublishOnlynpm run build && npm run test:publish:e2estartnode dist/cli/index.jsstart:devnode dist/cli/dev.jstestvitest run --reporter=dot --silent=passed-only && vitest run --reporter=dot --silent=passed-only --config e2e/vitest.config.tstest:covvitest run --reporter=dot --silent=passed-only --coverage && vitest run --reporter=dot --silent=passed-only --config e2e/vitest.config.ts --coveragetest:cov:e2evitest run --reporter=dot --silent=passed-only --config e2e/vitest.config.ts --coveragetest:cov:unitvitest run --reporter=dot --silent=passed-only --coveragetest:e2evitest run --reporter=dot --silent=passed-only --config e2e/vitest.config.tstest:playwrightplaywright test --config=e2e-playwright/playwright.config.tstest:playwright:headedplaywright test --config=e2e-playwright/playwright.config.ts --headedtest:playwright:uiplaywright test --config=e2e-playwright/playwright.config.ts --uitest:publish:e2etsx scripts/run-publish-e2e.tstest:unitvitest run --reporter=dot --silent=passed-onlytypechecknpm run typecheck:server && npm run typecheck:web- …and 2 more.
Dependencies34
@clack/prompts^1.1.0@fontsource/jetbrains-mono^5.2.8@xterm/addon-fit^0.11.0@xterm/xterm^6.0.0bash-language-server^5.6.0better-sqlite3^12.8.0cors^2.8.5express^5.2.1fast-glob^3.3.3gray-matter^4.0.3html2canvas^1.4.1http-proxy^1.18.1ignore^7.0.5node-pty^1.2.0-beta.12open^11.0.0openai^6.33.0pyright^1.1.408react-markdown^10.1.0react-syntax-highlighter^16.1.1remark-gfm^4.0.1sql-language-server^1.7.1strip-ansi^7.2.0turndown^7.2.2typescript^5.8.2typescript-language-server^5.1.3vite^6.1.0vscode-jsonrpc^8.2.1vscode-langservers-extracted^4.10.0vscode-languageserver-protocol^3.17.5wouter^3.9.0- …and 4 more.