npm · registry.npmjs.org

@liumir/lmcode

Install Lifecycle Remote Or Exec: preinstall="node -e \"console.log('\\n📦 正在安装 lmcode，请稍候...\\n')\""

Why PkgRadar flagged 0.7.0

Severity	Signal	Evidence
high	Install Lifecycle Remote Or Exec	preinstall="node -e \"console.log('\\n📦 正在安装 lmcode，请稍候...\\n')\"" · package.json
high	New Account With Lifecycle Hook	package first published 2 day(s) ago, 5 total version(s), has lifecycle hook · package.json
medium	Suspicious Publish Context	{"package_age_days":2,"publisher":"liumir","burst_same_day":1,"burst_week":1,"lure":null,"version_anomaly":false,"new_account":true}

Scanned versions

Version	Verdict	Score	Scanned (UTC)
`0.7.0`	High risk	50	2026-06-20
`0.6.0`	High risk	50	2026-06-20
`0.5.13`	High risk	50	2026-06-20
`0.5.14`	High risk	50	2026-06-20
`0.5.15`	High risk	50	2026-06-20

Campaign attribution

Part of the Clob dropper campaign.

Block this in CI

PkgRadar gates @liumir/lmcode (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem npm @liumir/[email protected]