Package evidence

[email protected]

Credential file access: matched ".ssh/"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published: 9
First published: May 2026
Publisher: dev-tamer-ai

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"review"}'

Publisherdev-tamer-ai

Artifact bytes372,467

Previous version2.120.1

Published2026-06-01T20:49:41.612Z

SHA-2560eaf56a32c579bc2eb58eb0e162c03e18cbe448fb4dd8f9a507690ffce4f2112

Why flagged

What the scanner saw

Credential file access: matched ".ssh/"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review

15d agoLast checked

reviewRisk

5Score

2.120.2Version

Status history (1 event)

new → available15d ago · risk review · score 5 · status changed

Evidence

Static findings

2 static · 0 from release diff · showing high-signal first.

No high-signal findings — see all findings below.

Show all 2 findings (low-signal and informational)

Severity	Kind	Path	Detail	Points
low	Credential file access	package/dist/tamer.bundle.js	matched ".ssh/"	5
low	Obfuscation Density	package/dist/tamer.bundle.js	high encoded/escaped-token density	0

Manifest

Package metadata

Scripts19

buildnpm run prebuild && tsc
build:bundlenode scripts/build-bundle.mjs
devnpm run prebuild && tsx src/index.ts
linteslint -c eslint.bundle.config.js src
pack:smokebash scripts/npm-pack-smoke.sh
pkg:smokebash scripts/pkg-smoke.sh
poc:f01tsx tests/f01-pty-proxy/poc.ts claude
poc:f02tsx tests/f02-event-builder/poc.ts
poc:f03tsx tests/f03-approval-detection/poc.ts
poc:f04tsx tests/f04-input-injection/poc.ts claude
poc:f12tsx tests/f12-idle-detection/poc.ts
prebuildnode scripts/sync-version.js
prepacknode scripts/build-bundle.mjs
startnpm run prebuild && tsx src/index.ts
testtsx tests/run-all.ts
test:agenttsx tests/run-all.ts --with-agent claude
test:crypto:coveragevitest run --coverage --config vitest.crypto-coverage.config.ts tests/crypto/key-exchange.test.ts
test:crypto:fuzzvitest run tests/crypto/key-exchange.fuzz.test.ts
test:watchvitest

Dependencies10

@inquirer/prompts^8.4.2
@modelcontextprotocol/sdk^1.27.1
@xterm/headless^6.0.0
commander^13.0.0
node-pty^1.1.0
tweetnacl^1.0.3
tweetnacl-util^0.15.1
ws^8.18.0
yaml^2.6.0
zod^4.3.6

Optional dependencies1

koffi^2.16.1