PkgRadar

Package evidence

[email protected]

Credential file access: matched ".AWS"

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"high"}'
Publisherjolly-good
Artifact bytes98,312
Previous version0.9.3
Published2026-04-08T13:09:02.246Z
SHA-256c7e374e013daa862ba9fc5c0eb636312539bed2752d30560b5a913e0c17a126a

Why flagged

What the scanner saw

Credential file access: matched ".AWS"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

high
Last checked
highRisk
60Score
0.9.4Version
Status history (1 event)
  1. newavailable · risk high · score 60 · status changed

Related candidates

Linked campaigns and clusters

Publisher / release actor burststale

jolly-good

2 members · evidence strength 54

Evidence

Static findings

2 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
highCredential file accesspackage/dist/s3mini.jsmatched ".AWS"30
highCredential file accesspackage/src/S3.tsmatched ".AWS"30

Manifest

Package metadata

Scripts17
  • buildnpm run clean && npm run typecheck && rollup -c
  • cleanrimraf dist
  • devnpm run clean && npm run typecheck -w && rollup -c -w
  • formatprettier -w src
  • formatcheckprettier --list-different src
  • linteslint src --ext .ts
  • prepublishOnlynpm run build
  • test:e2enpm run test:public && npm run test:providers
  • test:e2e:bunnpm run test:public:bun && npm run test:providers:bun
  • test:perfnode ./tests/perf/performance.test.js
  • test:providersnode --experimental-vm-modules node_modules/jest/bin/jest.js --config jest.config.js --verbose
  • test:providers:bunbun tests/run-bun.js tests/minio.test.js tests/hetzner.test.js tests/cloudflare.test.js tests/aws.test.js tests/backblaze.test.js tests/digitalocean.test.js tests/garage.test.js tests/oracle.test.js tests/scaleway.test.js tests/ceph.test.js tests/custom-fetch.test.js
  • test:publicnode --experimental-vm-modules node_modules/jest/bin/jest.js --config jest.public.js --verbose
  • test:public:bunbun test tests/anonymous-access.test.js
  • test:unitnode --experimental-vm-modules node_modules/jest/bin/jest.js --testMatch='<rootDir>/tests/{presigned-url,extract-bucket-name}.test.js' --verbose
  • test:unit:bunbun test tests/presigned-url.test.js tests/extract-bucket-name.test.js
  • typechecktsc --noEmit