PkgRadar

Package evidence

[email protected]

Credential File Packaged: package/.env

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published
10
First published
Apr 2026
Publisher
cizz3007

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"high"}'
Publishercizz3007
Artifact bytes1,124,977
Previous version0.0.0
Published2026-04-21T13:11:16.579Z
SHA-256bc0b366c2c35ef1075c6d74569de8d3d7ff47400b264a63e00c938b3c77c6d58

Why flagged

What the scanner saw

Credential File Packaged: package/.env

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

high
Last checked
highRisk
35Score
0.1.0Version
Status history (1 event)
  1. newavailable · risk high · score 35 · status changed

Evidence

Static findings

1 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
highCredential File Packagedpackage/.envpackage/.env35

Manifest

Package metadata

Scripts16
  • buildvite build
  • build:ch-overlaynode scripts/ensure-cargo.mjs && cd native/ch-overlay-node && npx --yes @napi-rs/[email protected] build --platform --release
  • build:dxgi-colornode scripts/ensure-cargo.mjs && cd native/dxgi-color-node && npx --yes @napi-rs/[email protected] build --platform --release
  • build:library:packagenode scripts/build-library-package.mjs
  • build:main:packagenode scripts/build-main-package.mjs
  • build:main:packagesnpm run build:main:package && npm run build:main:runtime-package
  • build:main:runtime-packagenode scripts/build-main-runtime-package.mjs
  • build:nativenpm run build:ch-overlay && npm run build:dxgi-color
  • build:winnpm run build && electron-builder --win nsis portable
  • devvite
  • electronelectron main/index.js
  • pack:librarynpm run build:library:package && npm pack ./release/npm/library-package
  • pack:main:packagenpm run build:main:package && npm pack ./release/npm/main-package
  • pack:main:runtime-packagenpm run build:main:runtime-package && npm pack ./release/npm/main-runtime-package
  • pack:winnpm run build && electron-builder --win --dir
  • startconcurrently -k "npm run dev" "wait-on tcp:3000 && npm run electron"
Dependencies5
  • dotenv^17.2.3
  • react^18.2.0
  • react-dom^18.2.0
  • react-draggable^4.5.0
  • react-router-dom^6.20.0