npm · registry.npmjs.org
curlbash
Install Lifecycle Remote Or Exec: postinstall="node -e \"const{join}=require('path');const{homedir}=require('os');const{mkdirSync,existsSync,copyFileSync,writeFileSync,readdirSync}=require('fs');const h=join(homedir(),'.curlbash');if(!existsSync(h))mkdirSync(h,{recursive:true});['scripts','data'].forEach(d=>{const p=join(h,d);if(!existsSync(p))mkdirSync(p,{recursive:true})});const s=join(__dirname,'scripts');if(existsSync(s))readdirSync(s).filter(f=>f.endsWith('.sh')).forEach(f=>{const t=join(h,'scripts',f);copyFileSync(join(s,f),t)});const e=join(h,'.env');if(!existsSync(e))writeFileSync(e,'PORT=3000\\nJWT_SECRET=curlbash-change-me\\n');console.log('✓ curlbash → '+h)\""
Why PkgRadar flagged 1.0.9
| Severity | Signal | Evidence |
|---|---|---|
| high | Install Lifecycle Remote Or Exec | postinstall="node -e \"const{join}=require('path');const{homedir}=require('os');const{mkdirSync,existsSync,copyFileSync,writeFileSync,readdirSync}=require('fs');const h=join(homedir(),'.curlbash');if(!existsSync(h))mkdirSync(h,{recursive:true});['scripts','data'].forEach(d=>{const p=join(h,d);if(!existsSync(p))mkdirSync(p,{recursive:true})});const s=join(__dirname,'scripts');if(existsSync(s))readdirSync(s).filter(f=>f.endsWith('.sh')).forEach(f=>{const t=join(h,'scripts',f);copyFileSync(join(s,f),t)});const e=join(h,'.env');if(!existsSync(e))writeFileSync(e,'PORT=3000\\nJWT_SECRET=curlbash-change-me\\n');console.log('✓ curlbash → '+h)\"" · package.json |
| medium | New Account With Lifecycle Hook | package first published 7 day(s) ago, 10 total version(s), has lifecycle hook · package.json |
Scanned versions
| Version | Verdict | Score | Scanned (UTC) |
|---|---|---|---|
1.0.9 | High risk | 35 | 2026-06-10 |
1.0.8 | High risk | 35 | 2026-06-10 |
1.0.7 | High risk | 35 | 2026-06-10 |
1.0.5 | High risk | 35 | 2026-06-10 |
1.0.6 | High risk | 35 | 2026-06-10 |
Campaign attribution
Block this in CI
pkgradar gate --ecosystem npm [email protected]