npm · registry.npmjs.org

its-over-9k

Install Lifecycle Remote Or Exec: postinstall="node scripts/use-prebuild.cjs && node -e \"try{require('child_process').execSync('node dist/cli.js update-skills',{stdio:'ignore'})}catch(e){}\""

Why PkgRadar flagged 1.3.7

Severity	Signal	Evidence
high	Install Lifecycle Remote Or Exec	postinstall="node scripts/use-prebuild.cjs && node -e \"try{require('child_process').execSync('node dist/cli.js update-skills',{stdio:'ignore'})}catch(e){}\"" · package.json

Scanned versions

Version	Verdict	Score	Scanned (UTC)
`1.3.7`	High risk	35	2026-06-10
`1.3.8`	High risk	35	2026-06-10

Related campaigns

bumblebiber — 2 releases, max score 72
install_lifecycle_script:postinstall="node scripts/use-prebuild.cjs && node -e \"try{require('child_process').execsync('node dist/cli.js update-skills',{stdio:'ignore'})}catch(e){}\"" — 2 releases, max score 72
install_lifecycle_remote_or_exec:postinstall="node scripts/use-prebuild.cjs && node -e \"try{require('child_process').execsync('node dist/cli.js update-skills',{stdio:'ignore'})}catch(e){}\"" — 2 releases, max score 72

Block this in CI

PkgRadar gates its-over-9k (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem npm [email protected]

Start free — 25 scans / mo View full evidence