npm · registry.npmjs.org

icoa-cli

Install Lifecycle Remote Or Exec: postinstall="node -e \"try{require('./dist/postinstall.js')}catch(e){}\""

Why PkgRadar flagged 2.19.288

Severity	Signal	Evidence
high	Install Lifecycle Remote Or Exec	postinstall="node -e \"try{require('./dist/postinstall.js')}catch(e){}\"" · package.json

Scanned versions

Version	Verdict	Score	Scanned (UTC)
`2.19.288`	High risk	17	2026-06-17
`2.19.287`	High risk	17	2026-06-15
`2.19.286`	High risk	17	2026-06-15
`2.19.285`	High risk	17	2026-06-15
`2.19.284`	High risk	17	2026-06-15
`2.19.282`	High risk	17	2026-06-15
`2.19.283`	High risk	17	2026-06-15
`2.19.280`	High risk	17	2026-06-15
`2.19.281`	High risk	17	2026-06-15
`2.19.279`	High risk	17	2026-06-15
`2.19.277`	High risk	17	2026-06-15
`2.19.278`	High risk	17	2026-06-15
`2.19.276`	High risk	17	2026-06-15
`2.19.274`	High risk	17	2026-06-14
`2.19.275`	High risk	17	2026-06-14
`2.19.273`	High risk	17	2026-06-14
`2.19.271`	High risk	17	2026-06-14
`2.19.272`	High risk	17	2026-06-14
`2.19.270`	High risk	17	2026-06-14
`2.19.269`	High risk	17	2026-06-14
`2.19.268`	High risk	17	2026-06-14
`2.19.267`	High risk	17	2026-06-13
`2.19.266`	High risk	17	2026-06-13
`2.19.265`	High risk	17	2026-06-13
`2.19.264`	High risk	17	2026-06-13
`2.19.263`	High risk	17	2026-06-13
`2.19.234`	High risk	17	2026-06-13
`2.19.233`	High risk	17	2026-06-13
`2.19.232`	High risk	35	2026-06-13
`2.19.231`	High risk	17	2026-06-13
`2.19.261`	High risk	24	2026-06-10
`2.19.262`	High risk	24	2026-06-10
`2.19.229`	High risk	24	2026-06-10
`2.19.230`	High risk	24	2026-06-10
`2.19.222`	High risk	24	2026-06-10
`2.19.223`	High risk	24	2026-06-10
`2.19.219`	High risk	35	2026-06-10
`2.19.218`	High risk	24	2026-06-10
`2.19.216`	High risk	35	2026-06-10
`2.19.217`	High risk	24	2026-06-10
`2.19.260`	High risk	24	2026-06-10
`2.19.259`	High risk	35	2026-06-10
`2.19.257`	High risk	24	2026-06-10
`2.19.256`	High risk	24	2026-06-10
`2.19.255`	High risk	24	2026-06-10
`2.19.254`	High risk	24	2026-06-10
`2.19.253`	High risk	35	2026-06-10
`2.19.252`	High risk	24	2026-06-10
`2.19.251`	High risk	24	2026-06-10
`2.19.250`	High risk	24	2026-06-10
`2.19.248`	High risk	24	2026-06-10
`2.19.249`	High risk	24	2026-06-10
`2.19.247`	High risk	24	2026-06-10
`2.19.246`	High risk	24	2026-06-10
`2.19.245`	High risk	24	2026-06-10
`2.19.244`	High risk	24	2026-06-10
`2.19.243`	High risk	35	2026-06-10
`2.19.242`	High risk	24	2026-06-10
`2.19.241`	High risk	24	2026-06-10
`2.19.240`	High risk	24	2026-06-10
`2.19.238`	High risk	24	2026-06-10
`2.19.239`	High risk	24	2026-06-10
`2.19.236`	High risk	24	2026-06-10
`2.19.209`	High risk	24	2026-06-10
`2.19.210`	High risk	24	2026-06-10
`2.19.194`	High risk	35	2026-06-10
`2.19.208`	High risk	24	2026-06-10
`2.19.207`	High risk	24	2026-06-10
`2.19.205`	High risk	24	2026-06-10
`2.19.206`	High risk	24	2026-06-10
`2.19.204`	High risk	24	2026-06-10
`2.19.197`	High risk	24	2026-06-10
`2.19.200`	High risk	24	2026-06-10
`2.19.196`	High risk	24	2026-06-10
`2.19.195`	High risk	24	2026-06-10
`2.19.201`	High risk	24	2026-06-10
`2.19.202`	High risk	24	2026-06-10
`2.19.198`	High risk	24	2026-06-10
`2.19.199`	High risk	24	2026-06-10
`2.19.203`	High risk	31	2026-06-10
`2.19.235`	High risk	24	2026-06-10

Campaign attribution

Part of the Clob dropper campaign.

Block this in CI

PkgRadar gates icoa-cli (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem npm [email protected]

Start free — 25 scans / mo View full evidence