---

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (3f007c3da95aa64e4c2ed5b51b736900ddc444499f2f678d749603fab516a0c3)

The published tarball ships npmjs.npmrc containing a live npm_-prefixed authToken for registry.npmjs.org scoped to @arbocollab. package.json declares "files": ["*"] and .npmignore does not exclude npmjs.npmrc, so every installer receives the credential. The package.json publish:lib script references this same file via --userconfig=npmjs.npmrc, confirming it is the maintainer's real publish credential rather than a stub. Any installer or anyone who downloads the tarball can use this token to publish arbitrary malicious versions under the @arbocollab scope, pivoting into a supply-chain attack against all downstream consumers of any package in that scope. No install-time hooks are present; the harm is the credential redistribution itself. Remediation: revoke the token immediately, unpublish/deprecate affected versions, remove npmjs.npmrc from the published tarball, and add it to .npmignore/files allowlist.