Package evidence

[email protected]

Credential file access: matched ".ssh"

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"high"}'

Publisherekrich

Artifact bytes2,177,268

Previous version0.0.3

Published2026-05-25T00:40:14.669Z

SHA-256850ae21ad504f4b8af9f01ebfca1b58c343b0535ee864c25a801c7ed0928c50f

Why flagged

What the scanner saw

Credential file access: matched ".ssh"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

high

23d agoLast checked

highRisk

135Score

0.0.4Version

Status history (1 event)

new → available23d ago · risk high · score 135 · status changed

Related candidates

Linked campaigns and clusters

Publisher / release actor burststale

ekrich

4 members · evidence strength 84

Evidence

Static findings

27 static · 0 from release diff · showing high-signal first.

Severity	Kind	Path	Detail	Points
high	Credential file access	package/dist/ssh-config-DAsGgEig.mjs	matched ".ssh"	30
medium	Obfuscation Density	package/dist/blade-CKDp56sR.mjs	high encoded/escaped-token density	12
medium	Obfuscation Density	package/dist/julia-B3gTKp-V.mjs	high encoded/escaped-token density	12
medium	Obfuscation Density	package/dist/php-DcghqDXq.mjs	high encoded/escaped-token density	12

Show all 27 findings (low-signal and informational)

Severity	Kind	Path	Detail	Points
high	Credential file access	package/dist/ssh-config-DAsGgEig.mjs	matched ".ssh"	30
medium	Obfuscation Density	package/dist/blade-CKDp56sR.mjs	high encoded/escaped-token density	12
medium	Obfuscation Density	package/dist/julia-B3gTKp-V.mjs	high encoded/escaped-token density	12
medium	Obfuscation Density	package/dist/php-DcghqDXq.mjs	high encoded/escaped-token density	12
low	Obfuscation	package/dist/editor/dist/assets/index-B0kdJwfN.js	matched "\\u00C0"	3
low	Obfuscation	package/dist/ara-D-j-XXGW.mjs	matched "\\x7F"	3
low	Obfuscation	package/dist/blade-CKDp56sR.mjs	matched "\\x7F"	3
low	Obfuscation	package/dist/coffee-Cvl138sb.mjs	matched "fromCharCode"	3
low	Obfuscation	package/dist/coq-BsUrCVvK.mjs	matched "\\xA0"	3
low	Obfuscation	package/dist/crystal-JmPkQM3O.mjs	matched "\\x08"	3
low	Obfuscation	package/dist/css-BacX8Aaf.mjs	matched "\\uFEFF"	3
low	Obfuscation	package/dist/glimmer-js-Cuh-sLOS.mjs	matched "\\x08"	3
low	Obfuscation	package/dist/glimmer-ts-Drh19V-_.mjs	matched "\\x08"	3
low	Obfuscation	package/dist/hack-Csgj2aE9.mjs	matched "\\x7F"	3
low	Obfuscation	package/dist/html-Bg4BDoLh.mjs	matched "\\x00"	3
low	Obfuscation	package/dist/julia-B3gTKp-V.mjs	matched "\\x01"	3
low	Obfuscation	package/dist/less-BmQG9s2A.mjs	matched "\\x00"	3
low	Obfuscation	package/dist/php-DcghqDXq.mjs	matched "\\x7F"	3
low	Obfuscation	package/dist/puppet-CjFnVLMe.mjs	matched "\\x7F"	3
low	Obfuscation	package/dist/ruby-DLys19ma.mjs	matched "\\x00"	3
low	Obfuscation	package/dist/scss-BOWWV2Ec.mjs	matched "\\x00"	3
low	Obfuscation	package/dist/stata-R_35NCZA.mjs	matched "\\x00"	3
low	Obfuscation	package/dist/stylus-CNLem3u-.mjs	matched "\\x00"	3
low	Obfuscation	package/dist/twig-CgEsAzoI.mjs	matched "\\x7F"	3
low	Obfuscation	package/dist/typst-D73qYMMw.mjs	matched "\\x00"	3
low	Obfuscation	package/dist/vue-CPLUWs4f.mjs	matched "\\x00"	3
low	Obfuscation	package/dist/wasm-DhFUmAQm.mjs	matched "atob("	3

Manifest

Package metadata

Scripts5

buildvp pack && node ./scripts/copy-editor-files.mjs
checkvp check
devvp pack --watch
prepublishOnlyvp run build
testvp test

Dependencies14

@base-ui/react^1.4.1
@tailwindcss/vite^4.1.6
@vitejs/plugin-react^4.6.0
citty^0.2.2
class-variance-authority^0.7.1
clsx^2.1.1
jiti^2.4.2
lucide-react^1.16.0
react^19.1.0
react-dom^19.1.0
tailwind-merge^3.6.0
tailwindcss^4.1.6
tw-animate-css^1.4.0
vite^6.3.0