Package evidence

[email protected]

Known Indicator Filename: package/dist/core/secrets/bundle.js

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"high"}'

Publisherchristianmarcschmidt

Artifact bytes2,207,013

Previous version1.3.48-next.168

Published2026-05-22T08:32:14.514Z

SHA-25658e80a1ddc50aaafd6da9be419a0e57e895610d6de1f327353fd95b123d14e71

Why flagged

What the scanner saw

Known Indicator Filename: package/dist/core/secrets/bundle.js

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

high

24d agoLast checked

highRisk

303Score

1.3.48-next.169Version

Status history (1 event)

new → available24d ago · risk high · score 303 · status changed

Related candidates

Linked campaigns and clusters

Repeated static TTPstale

Known Indicator Filename — package/dist/core/secrets/bundle.js

2 members · evidence strength 70

Publisher / release actor burststale

christianmarcschmidt

2 members · evidence strength 64

Evidence

Static findings

42 static · 0 from release diff · showing high-signal first.

Severity	Kind	Path	Detail	Points
high	Known Indicator Filename	package/dist/core/secrets/bundle.js	package/dist/core/secrets/bundle.js	45
high	Credential file access	package/dist/web/_app/immutable/chunks/ByUx3gj7.js	matched ".azure"	30
high	Credential file access	package/dist/utils/git.js	matched "GITHUB_TOKEN"	30
high	Credential file access	package/dist/agent/tools/graph-tools.js	matched ".ssh"	30
medium	Remote Payload	package/dist/server/routes/r2-api.js	matched "cUrl "	12
medium	Remote Payload	package/dist/services/assets/r2-sync.js	matched "cUrl "	12
medium	Remote Payload	package/dist/cli/commands/r2.js	matched "cUrl "	12
medium	Remote Payload	package/dist/services/assets/r2.js	matched "cUrl "	12
medium	Remote Payload	package/dist/mcp/server.js	matched "curl "	12
medium	Remote Payload	package/dist/core/workspace-manager.js	matched "cUrl "	12

Show all 42 findings (low-signal and informational)

Severity	Kind	Path	Detail	Points
high	Known Indicator Filename	package/dist/core/secrets/bundle.js	package/dist/core/secrets/bundle.js	45
high	Credential file access	package/dist/web/_app/immutable/chunks/ByUx3gj7.js	matched ".azure"	30
high	Credential file access	package/dist/utils/git.js	matched "GITHUB_TOKEN"	30
high	Credential file access	package/dist/agent/tools/graph-tools.js	matched ".ssh"	30
medium	Remote Payload	package/dist/server/routes/r2-api.js	matched "cUrl "	12
medium	Remote Payload	package/dist/services/assets/r2-sync.js	matched "cUrl "	12
medium	Remote Payload	package/dist/cli/commands/r2.js	matched "cUrl "	12
medium	Remote Payload	package/dist/services/assets/r2.js	matched "cUrl "	12
medium	Remote Payload	package/dist/mcp/server.js	matched "curl "	12
medium	Remote Payload	package/dist/core/workspace-manager.js	matched "cUrl "	12
low	Obfuscation	package/dist/web/_app/immutable/chunks/_ExZKhom.js	matched "fromCharCode"	3
low	Obfuscation	package/dist/web/_app/immutable/nodes/2.D7P5CqY1.js	matched "fromCharCode"	3
low	Obfuscation	package/dist/web/_app/immutable/nodes/3.Dt3TqovG.js	matched "fromCharCode"	3
low	Obfuscation	package/dist/web/_app/immutable/chunks/8hESCR7R.js	matched "fromCharCode"	3
low	Obfuscation	package/dist/web/_app/immutable/chunks/B01OgfP-.js	matched "atob("	3
low	Obfuscation	package/dist/services/assets/base.js	matched "\\x00"	3
low	Obfuscation	package/dist/web/_app/immutable/chunks/BNjJ851o.js	matched "fromCharCode"	3
low	Obfuscation	package/dist/web/_app/immutable/chunks/BNyWFMEu2.js	matched "\\xA1"	3
low	Obfuscation	package/dist/services/bookmark-import-service.js	matched "fromCharCode"	3
low	Obfuscation	package/dist/web/_app/immutable/chunks/BT3KAag_.js	matched "\\xA0"	3
low	Obfuscation	package/dist/web/_app/immutable/chunks/ByUx3gj7.js	matched "fromCharCode"	3
low	Obfuscation	package/dist/server/routes/chat.js	matched "\\u2014"	3
low	Obfuscation	package/dist/web/_app/immutable/chunks/CNMTMPof2.js	matched "\\u00a0"	3
low	Obfuscation	package/dist/cli/colors.js	matched "\\x1b"	3
low	Obfuscation	package/dist/core/comment-anchor.js	matched "fromCharCode"	3
low	Obfuscation	package/dist/web/_app/immutable/chunks/CUITrWFs2.js	matched "fromCharCode"	3
low	Obfuscation	package/dist/web/_app/immutable/chunks/D--9o78J.js	matched "\\uFE0F"	3
low	Obfuscation	package/dist/web/_app/immutable/chunks/Dsl02fVI2.js	matched "\\x00"	3
low	Obfuscation	package/dist/web/_app/immutable/chunks/DWY76udy2.js	matched "\\ufe00"	3
low	Obfuscation	package/dist/core/secrets/encryption.js	matched "Buffer.from(b64, 'base64"	3
low	Obfuscation	package/dist/web/_app/immutable/chunks/Ew37XZqa.js	matched "fromCharCode"	3
low	Obfuscation	package/dist/cli/commands/admin/folder.js	matched "\\u2500"	3
low	Obfuscation	package/dist/cli/commands/folder.js	matched "\\u2500"	3
low	Obfuscation	package/dist/services/git.js	matched "\\x00"	3
low	Obfuscation	package/dist/server/routes/graph-api.js	matched "\\u201C"	3
low	Obfuscation	package/dist/services/import-service.js	matched "Buffer.from(content, 'base64"	3
low	Obfuscation	package/dist/cli/index.js	matched "\\x1b"	3
low	Obfuscation	package/dist/cli/commands/join.js	matched "\\u2022"	3
low	Obfuscation	package/dist/core/secrets/master-key.js	matched "Buffer.from(trimmed, 'base64"	3
low	Obfuscation	package/dist/cli/commands/start.js	matched "\\x1b"	3
low	Obfuscation	package/dist/mcp/state-signer.js	matched "Buffer.from(state, 'base64"	3
low	Obfuscation	package/dist/web/_app/immutable/chunks/szy39T1a2.js	matched "fromCharCode"	3

Manifest

Package metadata

Scripts11

buildnode --max-old-space-size=8192 node_modules/typescript/bin/tsc && mkdir -p dist/agent/prompts dist/agent/skills && cp src/agent/prompts/*.md dist/agent/prompts/ && cp -r src/agent/skills/* dist/agent/skills/
build:allnpm run build && npm run build:web
build:webnpm --workspace studiograph-web run build
devtsc --watch
dev:webnpm --workspace studiograph-web run dev
lintnode --max-old-space-size=8192 node_modules/typescript/bin/tsc --noEmit
prepublishOnlynpm run build:all
release:nextnpm publish --tag next
testvitest
test:integrationvitest run --project integration
test:unitvitest run --project unit

Dependencies46

@ai-sdk/anthropic^3.0.46
@ai-sdk/google^3.0.30
@ai-sdk/openai^3.0.30
@aws-sdk/client-s3^3.500.0
@aws-sdk/s3-request-presigner^3.1045.0
@clack/prompts^0.7.0
@fastify/cookie^11.0.2
@fastify/cors^10.1.0
@fastify/multipart^9.4.0
@fastify/rate-limit^10.3.0
@fastify/websocket^11.2.0
@lancedb/lancedb^0.27.2
@mariozechner/pi-agent-core^0.70.2
@mariozechner/pi-ai^0.70.2
@mariozechner/pi-tui^0.70.2
@modelcontextprotocol/sdk^1.26.0
@mozilla/readability^0.6.0
@noble/ciphers^1.3.0
@types/archiver^7.0.0
ai^6.0.97
archiver^7.0.1
bcryptjs^3.0.3
better-sqlite3^12.6.2
chalk^5.6.2
cli-highlight^2.1.11
commander^11.1.0
consola^3.4.2
csv-parse^5.6.0
csv-stringify^6.6.0
diff-match-patch^1.0.5
…and 16 more.

Optional dependencies1

playwright^1.58.2