npm · registry.npmjs.org

@slycode/slycode

Install Lifecycle Remote Or Exec: postinstall="node -e \"const fs=require('fs'),p=require('path'); try{const d=p.join(p.dirname(require.resolve('node-pty/package.json')),'prebuilds'); fs.readdirSync(d).filter(f=>f.startsWith('darwin')).forEach(f=>{const h=p.join(d,f,'spawn-helper'); if(fs.existsSync(h)){fs.chmodSync(h,0o755);console.log('[slycode] Fixed node-pty spawn-helper permissions:',h)}})}catch{}\""

Why PkgRadar flagged 0.3.1

Severity	Signal	Evidence
high	Install Lifecycle Remote Or Exec	postinstall="node -e \"const fs=require('fs'),p=require('path'); try{const d=p.join(p.dirname(require.resolve('node-pty/package.json')),'prebuilds'); fs.readdirSync(d).filter(f=>f.startsWith('darwin')).forEach(f=>{const h=p.join(d,f,'spawn-helper'); if(fs.existsSync(h)){fs.chmodSync(h,0o755);console.log('[slycode] Fixed node-pty spawn-helper permissions:',h)}})}catch{}\"" · package.json
medium	Remote Payload	matched "github.com/FiloSottile/mkcert/releases/download" · package/dist/web/node_modules/next/dist/lib/mkcert.js
medium	Remote Payload	matched "api.telegram.org/bot" · package/dist/messaging/channels/telegram.js

Scanned versions

Version	Verdict	Score	Scanned (UTC)
`0.3.1`	High risk	105	2026-06-13
`0.2.39`	High risk	105	2026-06-13
`0.2.40`	High risk	105	2026-06-13
`0.3.0`	High risk	105	2026-06-13
`0.2.38`	High risk	105	2026-06-13

Campaign attribution

Part of the Clob dropper campaign.

Block this in CI

PkgRadar gates @slycode/slycode (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem npm @slycode/[email protected]

Start free — 25 scans / mo View full evidence