PkgRadar

Package evidence

[email protected]

Credential file access: matched ".ssh/"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
1,776Niche · −30% score
Versions published
186Mature · −50% score
First published
Sep 2024
Publisher
underpost.net

Effective trust discount applied: 50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"review"}'
Publisherunderpost.net
Artifact bytes3,082,453
Previous version3.2.12
Published2026-06-02T21:45:46.468Z
SHA-256a826a2f4ce9cd251635da123a88e037d9d36a51bebaf4dd8a8cfed0beb43617f

Why flagged

What the scanner saw

Credential file access: matched ".ssh/"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
20Score
3.2.14Version
Status history (1 event)
  1. newavailable · risk review · score 20 · status changed

Evidence

Static findings

5 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
mediumCredential file accesspackage/src/cli/baremetal.jsmatched ".ssh/"10
mediumCredential file accesspackage/src/cli/cloud-init.jsmatched "id_rsa"10
mediumCredential file accesspackage/src/cli/system.jsmatched ".ssh/"10
Show all 5 findings (low-signal and informational)
SeverityKindPathDetailPoints
mediumCredential file accesspackage/src/cli/baremetal.jsmatched ".ssh/"10
mediumCredential file accesspackage/src/cli/cloud-init.jsmatched "id_rsa"10
mediumCredential file accesspackage/src/cli/system.jsmatched ".ssh/"10
lowCredential file accesspackage/src/cli/ssh.jsmatched ".ssh/"5
lowInstall-time lifecycle scriptpackage.jsoninstall="npm run install:global && npm run install:test"5

Manifest

Package metadata

Scripts22
  • baremetalnode bin baremetal --dev --commission --ls --create-machine
  • buildnode bin client
  • cleannode bin env clean && node bin run clean
  • devNODE_ENV=development nodemon src/server
  • dev:apiNODE_ENV=development nodemon --watch src --ignore src/client src/api
  • dev:clientNODE_ENV=development node src/client.dev
  • dev:containerNODE_ENV=development node src/server
  • dev:proxyNODE_ENV=development node src/proxy proxy
  • docstypedoc --options typedoc.json
  • fixnpm audit fix --force && npm audit
  • installnpm run install:global && npm run install:test
  • install:globalnpm install -g prettier
  • install:testnpm install -g mocha && npm install -g c8 && npm install -g coveralls-next
  • prettierprettier --write .
  • prod:containerNODE_ENV=production node src/server
  • securitynpm run security:secrets:ci && npm run security:deps
  • security:depsnpm audit
  • security:secretsgitleaks detect --source . --config .gitleaks.toml --report-path ./gitleaks-report.json --report-format json --redact=0
  • security:secrets:cigitleaks detect --source . --config .gitleaks.toml --redact=1
  • startnode --max-old-space-size=8192 src/server
  • testNODE_ENV=test c8 mocha
  • test:monitorNODE_ENV=test c8 mocha test/deploy-monitor.test.js
Dependencies69
  • @fortawesome/fontawesome-free^7.2.0
  • @fullcalendar/rrule^6.1.20
  • @grpc/grpc-js^1.14.4
  • @grpc/proto-loader^0.8.1
  • @neodrag/vanilla^2.3.1
  • adm-zip^0.5.17
  • ag-grid-community^35.3.0
  • axios^1.16.1
  • bumpp^11.1.0
  • chai^6.2.2
  • clipboardy^5.3.1
  • cloudinary^2.10.0
  • colors^1.4.0
  • commander^15.0.0
  • compression^1.7.4
  • cookie-parser^1.4.7
  • cors^2.8.6
  • d3^7.9.0
  • dexie^4.4.3
  • dotenv^17.4.2
  • easymde^2.21.0
  • esbuild^0.28.0
  • escape-string-regexp^5.0.0
  • express^5.2.1
  • express-fileupload^1.4.3
  • express-rate-limit^8.5.2
  • express-slow-down^3.1.0
  • fast-json-stable-stringify^2.1.0
  • favicons^7.3.0
  • fs-extra^11.3.5
  • …and 39 more.