PkgRadar

npm · registry.npmjs.org

@tpsdev-ai/flair

Install Lifecycle Remote Or Exec: postinstall="node -e \"try{const{chmodSync,statSync}=require('fs');const p='dist/cli.js';if(statSync(p).isFile()){chmodSync(p,0o755);console.error('@tpsdev-ai/flair: chmod +x ' + p + ' OK')}}catch(e){if(e.code!=='ENOENT')console.error('postinstall warn:',e.message)}\""

Why PkgRadar flagged 0.9.0

SeveritySignalEvidence
highInstall Lifecycle Remote Or Execpostinstall="node -e \"try{const{chmodSync,statSync}=require('fs');const p='dist/cli.js';if(statSync(p).isFile()){chmodSync(p,0o755);console.error('@tpsdev-ai/flair: chmod +x ' + p + ' OK')}}catch(e){if(e.code!=='ENOENT')console.error('postinstall warn:',e.message)}\"" · package.json

Scanned versions

VersionVerdictScoreScanned (UTC)
0.9.0High risk352026-06-13
0.10.0High risk352026-06-13
0.8.3High risk352026-06-11
0.10.1High risk352026-06-10

Campaign attribution

Part of the Clob dropper campaign.

Block this in CI

PkgRadar gates @tpsdev-ai/flair (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem npm @tpsdev-ai/[email protected]
Start free — 25 scans / moView full evidence
@tpsdev-ai/flair — npm security scan | PkgRadar