npm · registry.npmjs.org

@ifc-lite/server-bin

Install Lifecycle Remote Or Exec: postinstall="node -e \"import('./dist/postinstall.js').catch(() => {})\" || true"

Why PkgRadar flagged 1.14.4

Severity	Signal	Evidence
high	Install Lifecycle Remote Or Exec	postinstall="node -e \"import('./dist/postinstall.js').catch(() => {})\" \|\| true" · package.json
high	Install Lifecycle Suppresses Failure	postinstall="node -e \"import('./dist/postinstall.js').catch(() => {})\" \|\| true" · package.json

Scanned versions

Version	Verdict	Score	Scanned (UTC)
`1.16.2`	Review	16	2026-06-10
`1.14.4`	High risk	55	2026-06-10
`1.16.1`	Review	16	2026-06-07
`1.16.0`	Review	16	2026-06-01
`1.15.0`	Review	16	2026-05-30

Campaign attribution

Part of the Clob dropper campaign.

Block this in CI

PkgRadar gates @ifc-lite/server-bin (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem npm @ifc-lite/[email protected]