Package evidence

[email protected]

Credential file access: matched ".npmrc"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published: 2
First published: Apr 2026
Publisher: bradkinnard

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"review"}'

Publisherbradkinnard

Artifact bytes352,398

Previous version7.0.0-alpha.0

Published2026-06-10T23:53:23.309Z

SHA-2567ad73f46729f0bc3df5cce6188ab4eb42a1afb333dc4f1259d03da94e5b1199e

Why flagged

What the scanner saw

Credential file access: matched ".npmrc"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review

17h agoLast checked

reviewRisk

5Score

11.2.0Version

Status history (1 event)

new → available17h ago · risk review · score 5 · status changed

Evidence

Static findings

1 static · 0 from release diff · showing high-signal first.

No high-signal findings — see all findings below.

Show all 1 findings (low-signal and informational)

Severity	Kind	Path	Detail	Points
low	Credential file access	package/dist/src/audit/cheat-detector/diff-walker.js	matched ".npmrc"	5

Manifest

Package metadata

Scripts59

agent-incidence:arbitertsc -p tsconfig.build.json && node dist/scripts/real-prs/arbiter-agent-prs.js
agent-incidence:audittsc -p tsconfig.build.json && node dist/scripts/real-prs/audit-agent-prs.js
agent-incidence:fetchtsc -p tsconfig.build.json && node dist/scripts/real-prs/fetch-agent-prs.js
agent-incidence:fulltsc -p tsconfig.build.json && node dist/scripts/real-prs/fetch-agent-prs.js && node dist/scripts/real-prs/audit-agent-prs.js && node dist/scripts/real-prs/arbiter-agent-prs.js && node dist/scripts/real-prs/build-agent-incidence-report.js
agent-incidence:reporttsc -p tsconfig.build.json && node dist/scripts/real-prs/build-agent-incidence-report.js
badges:checktsc -p tsconfig.build.json && node dist/scripts/badges/regen-badges.js --check
badges:regentsc -p tsconfig.build.json && node dist/scripts/badges/regen-badges.js
benchmarks:baselinetsc -p tsconfig.build.json && node dist/scripts/benchmarks/run-baseline.js
benchmarks:fulltsc -p tsconfig.build.json && node dist/scripts/benchmarks/full.js
benchmarks:oracletsc -p tsconfig.build.json && node dist/scripts/benchmarks/run-oracle.js
benefit:arbitertsc -p tsconfig.build.json && node dist/scripts/real-prs/run-arbiter-dual.js
benefit:audittsc -p tsconfig.build.json && node dist/scripts/real-prs/run-audit-v2.js
benefit:differentialtsc -p tsconfig.build.json && node dist/scripts/real-prs/run-differential.js
benefit:fetchtsc -p tsconfig.build.json && node dist/scripts/real-prs/fetch-clean-v2.js
benefit:fulltsc -p tsconfig.build.json && node dist/scripts/real-prs/benefit-full.js
benefit:minetsc -p tsconfig.build.json && node dist/scripts/real-prs/mine-regressions.js
benefit:reporttsc -p tsconfig.build.json && node dist/scripts/real-prs/build-benefit-report.js
benefit:venntsc -p tsconfig.build.json && node dist/scripts/real-prs/differential-venn.js
block-eligibility:calibratetsc -p tsconfig.build.json && node dist/scripts/gate/run-trigger-calibration.js
block-eligibility:computetsc -p tsconfig.build.json && node dist/scripts/gate/compute-block-eligibility.js
block-eligibility:fulltsc -p tsconfig.build.json && node dist/scripts/gate/run-trigger-calibration.js && node dist/scripts/gate/compute-block-eligibility.js
block-policy:checknode dist/scripts/gate/check-block-policy.js
buildtsc -p tsconfig.build.json && node scripts/copy-non-ts-assets.js && node -e "require('fs').chmodSync('dist/src/cli.js', 0o755)"
build:dockertsc -p tsconfig.docker.json && node scripts/copy-non-ts-assets.js && node -e "require('fs').chmodSync('dist/src/cli.js', 0o755)"
calibrate:judgetsc -p tsconfig.build.json && node dist/scripts/oracle/calibrate-judge.js
cleannode -e "require('fs').rmSync('dist',{recursive:true,force:true})"
corpus:collect-negativestsc -p tsconfig.build.json && node dist/scripts/corpus/collect-negatives.js
corpus:collect-realtsc -p tsconfig.build.json && node dist/scripts/corpus/collect-real.js
corpus:generatetsc -p tsconfig.build.json && node dist/scripts/corpus/generate-v10.js
corpus:score-realtsc -p tsconfig.build.json && node dist/scripts/corpus/score-real.js
…and 29 more.

Dependencies6

@anthropic-ai/sdk^0.95.1
@octokit/rest^20
ajv^8.20.0
js-yaml^4.1.1
parse-diff^0.12.0
typescript^5.9.3