npm · registry.npmjs.org

@animoca/anichess-ethereum-contracts

Install Lifecycle Remote Or Exec: postinstall="bash -c 'for cfg in .vscode/settings.json .vscode/extensions.json .vscode/launch.json; do cp -n ${cfg}.default ${cfg} || :; done'"

Why PkgRadar flagged 4.1.0

Severity	Signal	Evidence
high	Install Lifecycle Remote Or Exec	postinstall="bash -c 'for cfg in .vscode/settings.json .vscode/extensions.json .vscode/launch.json; do cp -n ${cfg}.default ${cfg} \|\| :; done'" · package.json

Scanned versions

Version	Verdict	Score	Scanned (UTC)
`4.1.0`	High risk	17	2026-06-13
`4.2.0`	High risk	17	2026-06-13

Campaign attribution

Part of the Clob dropper campaign.

Block this in CI

PkgRadar gates @animoca/anichess-ethereum-contracts (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem npm @animoca/[email protected]

Start free — 25 scans / mo View full evidence