PkgRadar

npm · registry.npmjs.org

mtgql

Install-time lifecycle script: postinstall="echo 'this is extremely cursed' && cp patch/generate.js node_modules/nearley/lib"

Why PkgRadar flagged 5.0.0

SeveritySignalEvidence
highNew Lifecycle Script Vs Previouspostinstall added in 5.0.0 vs 4.0.2: "echo 'this is extremely cursed' && cp patch/generate.js node_modules/nearley/lib" · package.json

Scanned versions

VersionVerdictScoreScanned (UTC)
4.0.1Low risk02026-06-13
4.0.2Low risk02026-06-13
5.0.0High risk452026-06-13
4.0.0Low risk02026-06-13

Campaign attribution

Part of the asteroiddao npm campaign campaign.

Block this in CI

PkgRadar gates mtgql (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem npm [email protected]
Start free — 25 scans / moView full evidence