PkgRadar

npm · registry.npmjs.org

libgio-node

Native Addon Gyp Action: binding.gyp runs a script or chains shell during node-gyp build (executes outside package.json lifecycle)

Why PkgRadar flagged 1.0.6

SeveritySignalEvidence
highNative Addon Gyp Actionbinding.gyp runs a script or chains shell during node-gyp build (executes outside package.json lifecycle) · package/binding.gyp

Scanned versions

VersionVerdictScoreScanned (UTC)
1.0.6High risk352026-06-13
1.0.7High risk352026-06-13
1.0.8High risk352026-06-13
1.0.9High risk352026-06-13

Campaign attribution

Part of the Miasma worm campaign.

Block this in CI

PkgRadar gates libgio-node (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem npm [email protected]
Start free — 25 scans / moView full evidence