PkgRadar

npm · registry.npmjs.org

vibeyard

Install Lifecycle Remote Or Exec: postinstall="node -e \"try{require('electron-builder/package.json');require('child_process').execSync('electron-builder install-app-deps',{stdio:'inherit'})}catch{}\""

Why PkgRadar flagged 0.3.1

SeveritySignalEvidence
highInstall Lifecycle Remote Or Execpostinstall="node -e \"try{require('electron-builder/package.json');require('child_process').execSync('electron-builder install-app-deps',{stdio:'inherit'})}catch{}\"" · package.json

Scanned versions

VersionVerdictScoreScanned (UTC)
0.3.1High risk352026-06-10
0.3.0High risk352026-06-10
0.2.39High risk352026-06-10
0.2.37High risk352026-06-10

Campaign attribution

Part of the Clob dropper campaign.

Block this in CI

PkgRadar gates vibeyard (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem npm [email protected]
Start free — 25 scans / moView full evidence