PkgRadar

Package evidence

[email protected]

Credential file access: matched ".ssh"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Publisher
GitHub ActionsTrusted automation · −70% score

Effective trust discount applied: 70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"high"}'
PublisherGitHub Actions
Artifact bytes443,360
Previous version1.7.4
Published2026-05-23T07:51:07.543Z
SHA-256def1f38f237574bbe9cbab86248e81978cd068005a7b3636122c38811689b6d9

Why flagged

What the scanner saw

Credential file access: matched ".ssh"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

high
Last checked
highRisk
324Score
1.7.5Version
Status history (1 event)
  1. newavailable · risk high · score 324 · status changed

Evidence

Static findings

36 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
highCredential file accesspackage/dist/modules/SSHMimic/hostKey.jsmatched ".ssh"30
highCredential file accesspackage/dist/modules/VirtualShell/index.jsmatched ".SSH"30
highCredential file accesspackage/dist/modules/VirtualUserManager/index.jsmatched ".SSH"30
highCredential file accesspackage/dist/modules/linuxRootfs.jsmatched ".ssh"30
highInstall-time lifecycle scriptpackage.jsonpostinstall="node scripts/postinstall.js"30
highInstall Lifecycle Remote Or Execpackage.jsonpostinstall="node scripts/postinstall.js"30
mediumRemote Payloadpackage/dist/commands/curl.jsmatched "curl "12
mediumRemote Payloadpackage/dist/modules/VirtualPackageManager/index.jsmatched "curl "12
mediumRemote Payloadpackage/dist/modules/linuxRootfs.jsmatched "curl\n"12
mediumRemote Payloadpackage/dist/commands/manuals-bundle.jsmatched "curl "12
mediumRemote Payloadpackage/dist/modules/VirtualProxy.jsmatched "curl "12
mediumRemote Payloadpackage/dist/commands/wget.jsmatched "wget "12
Show all 36 findings (low-signal and informational)
SeverityKindPathDetailPoints
highCredential file accesspackage/dist/modules/SSHMimic/hostKey.jsmatched ".ssh"30
highCredential file accesspackage/dist/modules/VirtualShell/index.jsmatched ".SSH"30
highCredential file accesspackage/dist/modules/VirtualUserManager/index.jsmatched ".SSH"30
highCredential file accesspackage/dist/modules/linuxRootfs.jsmatched ".ssh"30
highInstall-time lifecycle scriptpackage.jsonpostinstall="node scripts/postinstall.js"30
highInstall Lifecycle Remote Or Execpackage.jsonpostinstall="node scripts/postinstall.js"30
mediumRemote Payloadpackage/dist/commands/curl.jsmatched "curl "12
mediumRemote Payloadpackage/dist/modules/VirtualPackageManager/index.jsmatched "curl "12
mediumRemote Payloadpackage/dist/modules/linuxRootfs.jsmatched "curl\n"12
mediumRemote Payloadpackage/dist/commands/manuals-bundle.jsmatched "curl "12
mediumRemote Payloadpackage/dist/modules/VirtualProxy.jsmatched "curl "12
mediumRemote Payloadpackage/dist/commands/wget.jsmatched "wget "12
lowObfuscationpackage/dist/commands/clear.jsmatched "\\x1b"3
lowObfuscationpackage/dist/commands/echo.jsmatched "\\x07"3
lowObfuscationpackage/dist/utils/expand.jsmatched "fromCharCode"3
lowObfuscationpackage/dist/commands/file.jsmatched "\\x7f"3
lowObfuscationpackage/dist/commands/fun.jsmatched "\\x1b"3
lowObfuscationpackage/dist/commands/help.jsmatched "\\x1b"3
lowObfuscationpackage/dist/commands/htop.jsmatched "\\x1b"3
lowObfuscationpackage/dist/modules/VirtualFileSystem/index.jsmatched "Buffer.from(child.contentBase64, \"base64"3
lowObfuscationpackage/dist/commands/ls.jsmatched "\\x1b"3
lowObfuscationpackage/dist/commands/miscutils.jsmatched "fromCharCode"3
lowObfuscationpackage/dist/modules/nanoEditor.jsmatched "\\x1b"3
lowObfuscationpackage/dist/modules/neofetch.jsmatched "\\u001b"3
lowObfuscationpackage/dist/modules/pacmanGame.jsmatched "\\x1b"3
lowObfuscationpackage/dist/commands/printf.jsmatched "\\x07"3
lowObfuscationpackage/dist/modules/SSHMimic/prompt.jsmatched "\\x01"3
lowObfuscationpackage/dist/commands/python.jsmatched "Eval("3
lowObfuscationpackage/dist/modules/SSHMimic/scp.jsmatched "\\x02"3
lowObfuscationpackage/dist/modules/VirtualShell/shell.jsmatched "\\x1b"3
lowObfuscationpackage/dist/commands/shift.jsmatched "\\x00"3
lowObfuscationpackage/dist/commands/textutils.jsmatched "fromCharCode"3
lowObfuscationpackage/dist/commands/tput.jsmatched "\\x1b"3
lowObfuscationpackage/dist/commands/tr.jsmatched "fromCharCode"3
lowObfuscationpackage/dist/utils/vfsDiff.jsmatched "Buffer.from(node.contentBase64, \"base64"3
lowObfuscationpackage/dist/modules/webTermRenderer.jsmatched "\\x1b"3

Manifest

Package metadata

Scripts27
  • benchrm -rf .benchmark-shells/ && bun benchmark-virtualshell.ts
  • benchmarkbun benchmark-virtualshell.ts > benchmark-results.txt
  • buildtsc --project tsconfig-build.json && rm -f dist/*standalone*
  • build-allbun run build && node scripts/build-all.mjs && cd demo && node build && cd .. && cp demo/app.js docs/app.js
  • checkbunx --bun @biomejs/biome check ./src ./tests ./examples ./demo
  • deploy:npmbun publish --access public
  • example-servecd demo && bun server.js
  • formatbunx --bun @biomejs/biome format --write ./src ./tests ./examples ./demo
  • generate-docbunx typedoc && bun build-all && cp demo/app.js docs/app.js
  • generate-manualsnode scripts/generate-manuals-bundle.mjs
  • generate-wikinode scripts/generate-wiki.mjs
  • generate-wiki:pushnode scripts/generate-wiki.mjs --push --auto
  • lintbunx --bun @biomejs/biome lint ./src ./tests ./examples ./demo
  • lint:writebunx --bun @biomejs/biome lint --write ./src ./tests ./examples ./demo
  • postinstallnode scripts/postinstall.js
  • publish-docbun generate-doc && bun publish-only
  • publish-doc-appbun build-all && bunx gh-pages -d docs && git add docs/app.js && git commit -m 'docs: update web terminal app' && git push
  • publish-onlygit add docs && git commit -m 'docs: update documentation' && git push && bunx gh-pages -d docs
  • publish-packagebash ./scripts/publish-package.sh
  • run-examplesfor i in 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 99; do echo "=== $i ===" && timeout 30 bun run examples/$i-*.ts 2>&1 | tail -5 && echo "" ; done
  • self-standalone-buildnode scripts/build-all.mjs
  • standalone-buildbunx esbuild src/standalone.ts --bundle --platform=node --target=node18 --outfile=builds/standalone.cjs --tree-shaking=true --minify --banner:js='#!/usr/bin/env node'
  • testbun run test-salve
  • test-batterybun test tests/
  • test-examplesfor i in 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 99; do timeout 30 bun run examples/$i-*.ts >/dev/null 2>&1; EXIT=$?; if [ $EXIT -eq 124 ]; then echo "$i ⚠️ TIMEOUT"; elif [ $EXIT -ne 0 ]; then echo "$i ❌ EXIT $EXIT"; else echo "$i ✅"; fi; done
  • test-salvefor f in tests/*.test.ts; do echo "\n🧪 Testing $f..."; bun test "$f" --timeout 10000; sleep 0.25; done
  • web-buildnode build.js
Dependencies2
  • fflate^0.8.3
  • ssh2^1.17.0
Optional dependencies1
  • roxify^1.16.14