Recommended action
Block this updateStatic evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"high"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"high"}'Why flagged
What the scanner saw
Credential file access: matched ".ssh"
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk high · score 45 · status changed
Related candidates
Linked campaigns and clusters
davidbatista
2 members · evidence strength 53Evidence
Static findings
3 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | Credential file access | package/dist/services/image-decoder.js | matched ".ssh" | 30 |
| medium | Remote Payload | package/dist/cli/hermes.js | matched "curl " | 12 |
Show all 3 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | Credential file access | package/dist/services/image-decoder.js | matched ".ssh" | 30 |
| medium | Remote Payload | package/dist/cli/hermes.js | matched "curl " | 12 |
| low | Obfuscation | package/dist/services/image-decoder.js | matched "Buffer.from(match[2], \"base64" | 3 |
Manifest
Package metadata
Scripts28
buildtsc -p tsconfig.jsondevtsx src/index.tsprepacknpm run build && node -e "require('node:fs').accessSync('dist/index.js')"smokenode scripts/smoke-tools.mjssmoke:httpnode scripts/smoke-http.mjsstartnode dist/index.jstestnpm run typecheck && npm run build && npm run test:normalization && npm run test:providers && npm run test:intake-store && npm run test:hydration-goals && npm run test:goal-progress && npm run test:meal-estimator && npm run test:display-names && npm run test:image-tools && npm run test:summary && npm run test:privacy && npm run test:http-helper && npm run test:local-date && npm run test:carbon && npm run test:security && npm run test:ux-tools && npm run test:coach-wearable && npm run smoke && npm run smoke:http && npm run test:cli-ux && npm run test:agent-readiness && npm run test:hermes-agent && npm run prepack && npm run test:metadatatest:agent-readinessnode scripts/agent-readiness-test.mjstest:carbonnode scripts/test-carbon.mjstest:cli-uxnode scripts/cli-ux-test.mjstest:coach-wearablenode scripts/test-coach-wearable.mjstest:display-namesnode scripts/test-display-names.mjstest:goal-progressnode scripts/test-goal-progress.mjstest:hermes-agentnode scripts/hermes-agent-manifest-test.mjstest:http-helpernode scripts/test-http-helper.mjstest:hydration-goalsnode scripts/test-hydration-goals.mjstest:image-toolsnode scripts/test-image-tools.mjstest:intake-storenode scripts/test-intake-store.mjstest:local-datenode scripts/test-local-date.mjstest:meal-estimatornode scripts/test-meal-estimator.mjstest:metadatanode scripts/metadata-check.mjstest:normalizationnode scripts/test-normalization.mjstest:privacynode scripts/privacy-redaction-test.mjstest:providersnode scripts/test-providers.mjstest:securitynode scripts/test-security-and-locks.mjstest:summarynode scripts/test-summary.mjstest:ux-toolsnode scripts/test-ux-tools.mjstypechecktsc --noEmit -p tsconfig.json
Dependencies7
@modelcontextprotocol/ext-apps^1.7.1@modelcontextprotocol/sdk^1.21.0@zxing/library^0.21.3cors^2.8.6express^5.2.1sharp^0.34.5zod^4.4.3