PkgRadar

Package evidence

[email protected]

Credential file access: matched ".npmrc"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
154
Versions published
4
First published
May 2026
Publisher
chaosdonkey

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"review"}'
Publisherchaosdonkey
Artifact bytes498,375
Previous version0.2.1
Published2026-05-27T05:43:21.360Z
SHA-25603b8f70f3e86e6ee3b96830a1e88ffb443f81e6281567bc80705fb9583065128

Why flagged

What the scanner saw

Credential file access: matched ".npmrc"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
15Score
0.3.0Version
Status history (1 event)
  1. newavailable · risk review · score 15 · status changed

Evidence

Static findings

3 static · 0 from release diff · showing high-signal first.

No high-signal findings — see all findings below.

Show all 3 findings (low-signal and informational)
SeverityKindPathDetailPoints
lowCredential file accesspackage/dist/src/policy-heuristics.jsmatched ".npmrc"5
lowCredential file accesspackage/dist/src/policy-presets.jsmatched ".ssh"5
lowCredential file accesspackage/dist/src/session-share.jsmatched "GITHUB_TOKEN"5

Manifest

Package metadata

Scripts38
  • benchnpm run bench:correctness && npm run bench:perf:gate
  • bench:comparetsx bench/compare-metrics.ts
  • bench:correctnessnpm run check && npm test
  • bench:gatenpm run bench
  • bench:hotpathtsx bench/server-hotpath.bench.ts
  • bench:hotpath:gatenpm run bench:correctness && tsx bench/run-gate.ts --suite hotpath --runs 3 --metric-set avg --max-regression-pct 15 --min-baseline-us 0.2 --max-absolute-regression-us 0.05
  • bench:perfnpm run bench:hotpath
  • bench:perf:gatetsx bench/run-gate.ts --suite hotpath --runs 3 --metric-set avg --max-regression-pct 15 --min-baseline-us 0.2 --max-absolute-regression-us 0.05
  • buildbash -c 'npm run clean && tsc && chmod +x dist/src/cli.js'
  • checkprettier --version >/dev/null && bash -c 'pids=(); tsc --noEmit & pids+=($!); eslint src/ extensions/ bench/ & pids+=($!); knip & pids+=($!); prettier --check --ignore-unknown src/ extensions/ bench/ & pids+=($!); rc=0; for p in "${pids[@]}"; do wait "$p" || rc=1; done; exit $rc'
  • cleanrm -rf dist
  • dead-codeknip
  • devtsx watch src/cli.ts serve
  • formatprettier --write --ignore-unknown src/ extensions/ bench/
  • format:checkprettier --check --ignore-unknown src/ extensions/ bench/
  • linteslint src/ extensions/ bench/
  • lint:fixeslint src/ extensions/ bench/ --fix
  • preparebash -c 'npm run clean && tsc && chmod +x dist/src/cli.js'
  • prepublishOnlynpm run build
  • startnode dist/src/cli.js serve
  • telemetry:grafana:downdocker compose -f docker-compose.telemetry.yml down
  • telemetry:grafana:updocker compose -f docker-compose.telemetry.yml up -d
  • telemetry:importnode scripts/manual/telemetry-import-sqlite.mjs
  • telemetry:import:watchnode scripts/manual/telemetry-import-sqlite.mjs --watch
  • telemetry:reviewbun scripts/telemetry-review.ts
  • telemetry:review:gatebun scripts/telemetry-review.ts --days 3 --gate
  • testvitest run
  • test:coveragevitest run --coverage --exclude tests/policy-fuzz-perf.test.ts
  • test:e2evitest run --config vitest.e2e.config.ts
  • test:e2e:auth-connectionnpm run test:e2e:clean && E2E_NATIVE=1 vitest run --config vitest.e2e.config.ts e2e/pairing-flow e2e/paired-session
  • …and 8 more.
Dependencies7
  • @earendil-works/gondolin0.12.0
  • @earendil-works/pi-ai0.75.5
  • @earendil-works/pi-coding-agent0.75.5
  • @earendil-works/pi-tui0.75.5
  • diff-match-patch^1.0.5
  • typebox1.1.28
  • ws8.20.1