PkgRadar

Package evidence

[email protected]

Credential file access: matched ".AWS"

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"high"}'
Publishersvidgen
Artifact bytes21,324
Previous version0.1.183
Published2026-05-19T01:18:07.447Z
SHA-25622742e9cec145796c15e83c958c45e765df1137edd20044e720a293b9afdc8f9

Why flagged

What the scanner saw

Credential file access: matched ".AWS"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

high
Last checked
highRisk
180Score
0.1.184Version
Status history (1 event)
  1. newavailable · risk high · score 180 · status changed

Related candidates

Linked campaigns and clusters

Publisher / release actor burststale

svidgen

14 members · evidence strength 81

Evidence

Static findings

6 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
highCredential file accesspackage/dist/resources/background-job.jsmatched ".AWS"30
highCredential file accesspackage/dist/services/email-sender.jsmatched ".AWS"30
highCredential file accesspackage/dist/services/file.jsmatched ".aws"30
highCredential file accesspackage/dist/services/llm.jsmatched ".AWS"30
highCredential file accesspackage/dist/client/realtime.jsmatched ".aws"30
highCredential file accesspackage/dist/services/realtime.jsmatched ".aws"30

Manifest

Package metadata

Scripts2
  • buildnpm run clean && tsc
  • cleanrimraf dist
Dependencies16
  • @aws-crypto/sha256-js^5.2.0
  • @aws-sdk/client-bedrock-runtime^3.821.0
  • @aws-sdk/client-cognito-identity-provider^3.741.0
  • @aws-sdk/client-dynamodb^3.774.0
  • @aws-sdk/client-lambda3.821.0
  • @aws-sdk/client-s3^3.738.0
  • @aws-sdk/client-ses^3.998.0
  • @aws-sdk/credential-provider-node^3.806.0
  • @aws-sdk/lib-dynamodb^3.778.0
  • @aws-sdk/protocol-http^3.370.0
  • @aws-sdk/signature-v4^3.370.0
  • jose^6.1.0
  • jsdom^25.0.0
  • rimraf^6.0.1
  • wirejs-dom^1.0.44
  • wirejs-resources-basenpm:wirejs-resources@^0.1.178