PkgRadar

npm · registry.npmjs.org

mailpouch

Install-time lifecycle script: postinstall="node scripts/install-hooks.mjs"

Why PkgRadar flagged 3.0.64

SeveritySignalEvidence
highNew Lifecycle Script Vs Previouspostinstall added in 3.0.64 vs 3.0.40: "node scripts/install-hooks.mjs" · package.json

Scanned versions

VersionVerdictScoreScanned (UTC)
3.0.64High risk452026-06-10
3.0.77Review32026-06-06
3.0.76Review32026-06-06
3.0.75Review52026-06-05
3.0.74Review52026-06-04
3.0.73Review32026-06-03
3.0.72Review32026-06-03
3.0.71Review52026-05-31
3.0.68Review52026-05-31
3.0.66Review52026-05-31
3.0.65Review52026-05-31
3.0.40Low risk02026-05-28
3.0.21Low risk02026-05-27
3.0.27Low risk02026-05-27

Campaign attribution

Part of the asteroiddao npm campaign campaign.

Block this in CI

PkgRadar gates mailpouch (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem npm [email protected]
Start free — 25 scans / moView full evidence