Educational demo: a deliberately vulnerable npm package showing how GitHub Actions cache poisoning can produce a malicious release without stealing any credential. Do NOT use in production.
Cross-referenced across 55 tracked directories
#5416
Popularity Rank
1 / 55
Listed In
Emerging
Adoption Stage
5/13/2026
First Seen
Recently added to the ecosystem
Run an AI-powered security scan to analyze this package's source code for vulnerabilities, prompt injection vectors, data exfiltration risks, and behavior mismatches.
Scans fetch actual source code from the GitHub repository, not just the README.
cohereai
microsoft1es
Microsoft Application Insights JavaScript SDK - Web
creamidea
elliot-recall
Recall Desktop SDK