npm · registry.npmjs.org

antigravity-gemini-bridge

Install Lifecycle Remote Or Exec: postinstall="node -e \"const p=require('path'),fs=require('fs');const d=p.join(__dirname,'node_modules','node-pty','prebuilds');['darwin-arm64','darwin-x64','linux-x64','linux-arm64'].forEach(a=>{try{fs.chmodSync(p.join(d,a,'spawn-helper'),0o755)}catch{}})\""

Why PkgRadar flagged 0.16.1

Severity	Signal	Evidence
high	Install Lifecycle Remote Or Exec	postinstall="node -e \"const p=require('path'),fs=require('fs');const d=p.join(__dirname,'node_modules','node-pty','prebuilds');['darwin-arm64','darwin-x64','linux-x64','linux-arm64'].forEach(a=>{try{fs.chmodSync(p.join(d,a,'spawn-helper'),0o755)}catch{}})\"" · package.json
medium	Remote Payload	matched "curl " · package/dist/gemini.js

Scanned versions

Version	Verdict	Score	Scanned (UTC)
`0.16.1`	High risk	47	2026-06-16
`0.16.0`	High risk	47	2026-06-16
`0.15.0`	High risk	47	2026-06-16
`0.15.1`	High risk	47	2026-06-16
`0.14.0`	High risk	47	2026-06-16
`0.13.0`	High risk	47	2026-06-16
`0.12.0`	High risk	47	2026-06-16
`0.10.0`	High risk	47	2026-06-16
`0.11.0`	High risk	47	2026-06-16
`0.8.32`	Review	12	2026-06-16
`0.8.33`	Review	12	2026-06-16
`0.8.34`	Review	12	2026-06-16
`0.9.0`	High risk	87	2026-06-16

Campaign attribution

Part of the Clob dropper campaign.

Block this in CI

PkgRadar gates antigravity-gemini-bridge (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem npm [email protected]

Start free — 25 scans / mo View full evidence