PkgRadar

Package evidence

[email protected]

Credential file access: matched "AWS_ACCESS_KEY"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published
1
First published
Jun 2026
Publisher
vrtxomega

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"review"}'
Publishervrtxomega
Artifact bytes132,478
Previous versionnone
Published2026-06-10T16:24:33.050Z
SHA-256435d5f12297d9b597a80e518e41b261d4aa9fb9d37117baf3f1e56ff374c0915

Why flagged

What the scanner saw

Credential file access: matched "AWS_ACCESS_KEY"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
10Score
0.1.1Version
Status history (1 event)
  1. newavailable · risk review · score 10 · status changed

Evidence

Static findings

2 static · 0 from release diff · showing high-signal first.

No high-signal findings — see all findings below.

Show all 2 findings (low-signal and informational)
SeverityKindPathDetailPoints
lowCredential file accesspackage/src/core/adversary.mjsmatched "AWS_ACCESS_KEY"5
lowCredential file accesspackage/src/core/feedback.mjsmatched "AWS_ACCESS_KEY"5

Manifest

Package metadata

Scripts31
  • benchmarknode scripts/run-benchmark.mjs --fail-on-regression
  • benchmark:jsonnode scripts/run-benchmark.mjs --format json
  • benchmark:markdownnode scripts/run-benchmark.mjs --format markdown
  • benchmark:writenode scripts/run-benchmark.mjs --format markdown --write docs/benchmark-results.md --fail-on-regression
  • checknode --check scripts/run-pr-gate.mjs && node --check src/server.mjs && node --check src/cli.mjs && node --check src/config.mjs && node --check src/core/api.mjs && node --check src/core/adversary.mjs && node --check src/core/benchmark.mjs && node --check src/core/calibration.mjs && node --check src/core/candidates.mjs && node --check src/core/contributor-preflight.mjs && node --check src/core/evaluator.mjs && node --check src/core/feedback.mjs && node --check src/core/history.mjs && node --check src/core/pilot-proof.mjs && node --check src/core/policy.mjs && node --check src/core/patch.mjs && node --check src/core/queue.mjs && node --check src/core/repository-context.mjs && node --check src/core/setup.mjs && node --check src/core/setup-guide.mjs && node --check src/core/watchlist.mjs && node --check src/github/client.mjs && node --check src/github/webhook.mjs && node --check src/github/templates.mjs && node --check scripts/run-adversary.mjs && node --check scripts/run-benchmark.mjs && node --check scripts/run-maintainer-demo.mjs && node --check scripts/run-public-pilot.mjs && node --check scripts/run-large-bench.mjs && node --check scripts/run-watchlist.mjs && node --check scripts/verify-ci-workflow.mjs && node --check scripts/verify-repo-hygiene.mjs && node --check public/app.js
  • ci:gatesnpm run repo:verify && npm run ci:verify && npm run check && npm test && npm run benchmark && npm run redtest && npm run demo:maintainer -- --fail-on-regression
  • ci:verifynode scripts/verify-ci-workflow.mjs
  • demo:issuenode src/cli.mjs evaluate fixtures/issue-unready.json
  • demo:kernelnode src/cli.mjs evaluate fixtures/pr-kernel-ready.json --profile kernel-grade
  • demo:maintainernode scripts/run-maintainer-demo.mjs
  • demo:maintainer:jsonnode scripts/run-maintainer-demo.mjs --format json
  • demo:maintainer:markdownnode scripts/run-maintainer-demo.mjs --format markdown
  • demo:maintainer:writenode scripts/run-maintainer-demo.mjs --format markdown --write docs/maintainer-demo-output.md --fail-on-regression
  • demo:prnode src/cli.mjs evaluate fixtures/pr-unready.json
  • pilot:largenode scripts/run-large-bench.mjs
  • pilot:publicnode scripts/run-public-pilot.mjs
  • pilot:public:markdownnode scripts/run-public-pilot.mjs --format markdown
  • pilot:scoutnode scripts/run-public-pilot.mjs --no-pulls --contributor-preflight --format markdown
  • pilot:watchnode scripts/run-watchlist.mjs --format markdown
  • preflightnode src/cli.mjs preflight
  • redtestnode scripts/run-adversary.mjs --fail-on-regression
  • redtest:jsonnode scripts/run-adversary.mjs --format json
  • redtest:markdownnode scripts/run-adversary.mjs --format markdown
  • redtest:writenode scripts/run-adversary.mjs --format markdown --write docs/adversarial-red-team-results.md --fail-on-regression
  • repo:verifynode scripts/verify-repo-hygiene.mjs
  • setup:pilotnode src/cli.mjs setup
  • setup:pilot:markdownnode src/cli.mjs setup --format markdown
  • startnode src/server.mjs
  • testnode --test
  • test:allnpm run check && npm test && npm run benchmark && npm run redtest
  • …and 1 more.