PkgRadar

Package evidence

[email protected]

Credential file access: matched "AWS_ACCESS_KEY"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
14,593Mainstream · −50% score
Versions published
1,039Established · −30% score
First published
Nov 2025
Publisher
kojiwakayama

Effective trust discount applied: 50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"review"}'
Publisherkojiwakayama
Artifact bytes3,704,935
Previous version0.1.837
Published2026-06-17T13:17:42.828Z
SHA-256c819abb75cf1e16c712bdeb1f1d0565d4d96fba1c7e92925beca2d6c3f4d2d0a

Why flagged

What the scanner saw

Credential file access: matched "AWS_ACCESS_KEY"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
2Score
0.1.838Version
Status history (1 event)
  1. newavailable · risk review · score 2 · status changed

Evidence

Static findings

2 static · 0 from release diff · showing high-signal first.

No high-signal findings — see all findings below.

Show all 2 findings (low-signal and informational)
SeverityKindPathDetailPoints
lowCredential file accesspackage/esm/cli/templates/manifest.jsmatched "AWS_ACCESS_KEY"5
lowLarge Javascript Payloadpackage/esm/src/integrations/_data.js3053291 bytes0

Manifest

Package metadata

Dependencies38
  • @babel/generator7.29.1
  • @babel/parser7.29.2
  • @babel/traverse7.29.0
  • @babel/types7.29.0
  • @deno/shim-crypto0.3.1
  • @deno/shim-deno0.18.0
  • @deno/shim-timers0.1.0
  • @mdx-js/mdx3.1.1
  • @types/hast3.0.3
  • @types/mdast4.0.3
  • @types/react19.2.14
  • @types/react-dom19.2.3
  • @types/unist3.0.2
  • es-module-lexer2.0.0
  • esbuild0.28.1
  • github-slugger2.0.0
  • jose5.9.6
  • mdast-util-to-string4.0.0
  • react19.2.4
  • react-dom19.2.4
  • redis5.11.0
  • rehype-highlight7.0.2
  • rehype-raw7.0.0
  • rehype-sanitize6.0.0
  • rehype-slug6.0.0
  • rehype-starry-night2.2.0
  • rehype-stringify10.0.1
  • remark-frontmatter5.0.0
  • remark-gfm4.0.1
  • remark-parse11.0.0
  • …and 8 more.
Optional dependencies3
  • @huggingface/transformers3.4.2
  • bash-tool1.3.16
  • just-bash2.14.5