PkgRadar

npm · registry.npmjs.org

@cnstra/mcp

Install Lifecycle Remote Or Exec: postinstall="node -e \"console.log('\\n CNStra MCP installed. Run: npx @cnstra/mcp init\\n')\""

Why PkgRadar flagged 1.1.1

SeveritySignalEvidence
highInstall Lifecycle Remote Or Execpostinstall="node -e \"console.log('\\n CNStra MCP installed. Run: npx @cnstra/mcp init\\n')\"" · package.json
highNew Account With Lifecycle Hookpackage first published 7 day(s) ago, 2 total version(s), has lifecycle hook · package.json

Scanned versions

VersionVerdictScoreScanned (UTC)
1.1.1High risk352026-06-10
1.1.0High risk502026-06-10

Block this in CI

PkgRadar gates @cnstra/mcp (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem npm @cnstra/[email protected]
Start free — 25 scans / moView full evidence
@cnstra/mcp — npm security scan | PkgRadar