PkgRadar

npm · registry.npmjs.org

@panguard-ai/panguard

Install Lifecycle Remote Or Exec: postinstall="node -e \"console.log('\\n Panguard AI v' + require('./package.json').version + ' installed.\\n\\n Quick start:\\n pga Open interactive menu\\n pga up Start protection + dashboard\\n pga scan Scan your skills\\n pga audit <dir> Audit a skill before installing\\n\\n First time? Just run: pga\\n')\""

Why PkgRadar flagged 1.5.4

SeveritySignalEvidence
highInstall Lifecycle Remote Or Execpostinstall="node -e \"console.log('\\n Panguard AI v' + require('./package.json').version + ' installed.\\n\\n Quick start:\\n pga Open interactive menu\\n pga up Start protection + dashboard\\n pga scan Scan your skills\\n pga audit <dir> Audit a skill before installing\\n\\n First time? Just run: pga\\n')\"" · package.json
mediumRemote Payloadmatched "raw.githubusercontent.com" · package/dist/cli/commands/audit.js

Scanned versions

VersionVerdictScoreScanned (UTC)
1.5.4High risk472026-06-14
1.5.5High risk472026-06-14
1.5.6High risk472026-06-14
1.6.0High risk472026-06-14

Campaign attribution

Part of the Clob dropper campaign.

Related campaigns

Block this in CI

PkgRadar gates @panguard-ai/panguard (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem npm @panguard-ai/[email protected]
Start free — 25 scans / moView full evidence