npm · registry.npmjs.org
@circlesac/clova
Remote Payload: matched "curl "
Why PkgRadar flagged 26.5.0
| Severity | Signal | Evidence |
|---|---|---|
| high | New Lifecycle Script Vs Previous | postinstall added in 26.5.0 vs 0.0.0: "node bin/install.js" · package.json |
| medium | Remote Payload | matched "curl " · package/bin/install.sh |
| medium | New Account With Lifecycle Hook | package first published 13 day(s) ago, 7 total version(s), has lifecycle hook · package.json |
Scanned versions
| Version | Verdict | Score | Scanned (UTC) |
|---|---|---|---|
26.5.0 | High risk | 57 | 2026-06-10 |
26.5.4 | Review | 14 | 2026-05-29 |
26.5.5 | Review | 14 | 2026-05-29 |
26.5.1 | Review | 14 | 2026-05-28 |
Campaign attribution
Related campaigns
- install_lifecycle_remote_or_exec:postinstall="node bin/install.js" — 12 releases, max score 87
Block this in CI
pkgradar gate --ecosystem npm @circlesac/[email protected]