PkgRadar

npm · registry.npmjs.org

@codeatlas/mcp

Install-time lifecycle script: preinstall="node ./scripts/preinstall.js"

Why PkgRadar flagged 3.0.0

SeveritySignalEvidence
highNew Lifecycle Script Vs Previouspreinstall added in 3.0.0 vs 2.2.1: "node ./scripts/preinstall.js" · package.json
highNew Lifecycle Script Vs Previouspostinstall added in 3.0.0 vs 2.2.1: "node ./dist/postinstall-hint.js" · package.json

Scanned versions

VersionVerdictScoreScanned (UTC)
3.4.0Review102026-06-11
3.3.0Review102026-06-10
3.0.0High risk902026-06-10
3.2.0Review102026-06-07
3.1.0Review102026-06-04
2.2.1Low risk02026-05-28
2.2.0Review102026-05-28
2.1.1Low risk02026-05-27
2.1.2Review72026-05-27
2.0.3Low risk02026-05-24
2.1.0Low risk02026-05-24

Campaign attribution

Part of the asteroiddao npm campaign campaign.

Block this in CI

PkgRadar gates @codeatlas/mcp (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem npm @codeatlas/[email protected]
Start free — 25 scans / moView full evidence