PkgRadar

npm · registry.npmjs.org

@exellix/graph-composer

Install Lifecycle Remote Or Exec: postinstall="node -e \"const fs=require('fs'),p=require('path');const s=p.join('node_modules','nx-config2','bin','nx-config2.js'),d=p.join('node_modules','@x12i','env','bin','nx-config2.js');try{if(fs.existsSync(s)&&!fs.existsSync(d))fs.copyFileSync(s,d);}catch(_){}\""

Why PkgRadar flagged 2.7.9

SeveritySignalEvidence
highInstall Lifecycle Remote Or Execpostinstall="node -e \"const fs=require('fs'),p=require('path');const s=p.join('node_modules','nx-config2','bin','nx-config2.js'),d=p.join('node_modules','@x12i','env','bin','nx-config2.js');try{if(fs.existsSync(s)&&!fs.existsSync(d))fs.copyFileSync(s,d);}catch(_){}\"" · package.json

Scanned versions

VersionVerdictScoreScanned (UTC)
2.7.9High risk242026-06-12
2.0.7High risk352026-06-10
2.0.6High risk242026-06-10
2.0.2High risk352026-06-10
2.0.0High risk242026-06-10
2.7.8High risk352026-06-10
2.7.7High risk352026-06-10
2.7.6High risk352026-06-10
2.7.5High risk242026-06-10
2.7.4High risk352026-06-10
2.7.2High risk352026-06-10
2.7.1High risk352026-06-10
2.7.0High risk352026-06-10
2.6.2High risk242026-06-10
2.6.1High risk242026-06-10
2.6.0High risk352026-06-10
2.5.9High risk352026-06-10
2.5.8High risk242026-06-10
2.5.7High risk352026-06-10
2.5.6High risk242026-06-10
2.5.5High risk242026-06-10
2.5.2High risk242026-06-10
2.5.1High risk242026-06-10
2.4.2High risk242026-06-10
2.3.1High risk242026-06-10
2.2.1High risk242026-06-10
2.2.0High risk242026-06-10
2.1.10High risk242026-06-10
2.1.9High risk242026-06-10
2.1.8High risk242026-06-10
2.1.0High risk242026-06-10
2.0.9High risk242026-06-10

Campaign attribution

Part of the Clob dropper campaign.

Block this in CI

PkgRadar gates @exellix/graph-composer (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem npm @exellix/[email protected]
Start free — 25 scans / moView full evidence