PkgRadar

Package evidence

@animoca/[email protected]

Install Lifecycle Remote Or Exec: postinstall="bash -c 'for cfg in .vscode/settings.json .vscode/extensions.json .vscode/launch.json; do cp -n ${cfg}.default ${cfg} || :; done'"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
86
Versions published
27Mature · −50% score
First published
Dec 2023
Publisher
nataouze

Effective trust discount applied: 50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@animoca/[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@animoca/[email protected]"],"fail_on":"high"}'
Publishernataouze
Artifact bytes800,764
Previous version4.0.1
Published2026-04-30T06:20:10.907Z
SHA-256380000eefe0341aa89e1fc03e40e9b7d95ca07e50553348508063c40f05db4d4

Why flagged

What the scanner saw

Install Lifecycle Remote Or Exec: postinstall="bash -c 'for cfg in .vscode/settings.json .vscode/extensions.json .vscode/launch.json; do cp -n ${cfg}.default ${cfg} || :; done'"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

high
Last checked
highRisk
17Score
4.1.0Version
Status history (1 event)
  1. newavailable · risk high · score 17 · status changed

Evidence

Static findings

2 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
highInstall Lifecycle Remote Or Execpackage.jsonpostinstall="bash -c 'for cfg in .vscode/settings.json .vscode/extensions.json .vscode/launch.json; do cp -n ${cfg}.default ${cfg} || :; done'"30
Show all 2 findings (low-signal and informational)
SeverityKindPathDetailPoints
highInstall Lifecycle Remote Or Execpackage.jsonpostinstall="bash -c 'for cfg in .vscode/settings.json .vscode/extensions.json .vscode/launch.json; do cp -n ${cfg}.default ${cfg} || :; done'"30
lowInstall-time lifecycle scriptpackage.jsonpostinstall="bash -c 'for cfg in .vscode/settings.json .vscode/extensions.json .vscode/launch.json; do cp -n ${cfg}.default ${cfg} || :; done'"5

Manifest

Package metadata

Scripts25
  • cleanrun-p clean:compile clean:artifacts:soft clean:hardhat clean:flatten clean:coverage clean:docgen
  • clean:artifacts:hardrm -rf "artifacts"
  • clean:artifacts:softfind "artifacts/*" | grep -v '^artifacts/build-info\|^artifacts/contracts' | xargs rm -rf
  • clean:compilerm -rf "cache"
  • clean:coveragerm -rf 'coverage*' coverage coverage.json artifacts.coverage cache.coverage
  • clean:docgenrm -rf "docs"
  • clean:flattenrm -rf "flattened"
  • clean:hardhatrm -rf "hardhat.config.last.json"
  • clean:vscoderm -rf ".vscode/extensions.json" ".vscode/launch.json" ".vscode/settings.json"
  • compilehardhat compile --show-stack-traces
  • coveragecross-env COVERAGE=true hardhat coverage --show-stack-traces
  • docgenrun-s docgen:sol
  • docgen:solhardhat docgen --show-stack-traces
  • flattenhardhat flatten-all --show-stack-traces
  • lintrun-s lint:js lint:sol
  • lint:fixrun-s lint:js:fix lint:sol:fix
  • lint:jsprettier '**/*.{js,ts}' --check && eslint '**/*.{js,ts}'
  • lint:js:fixprettier '**/*.{js,ts}' --write && eslint '**/*.{js,ts}' --fix
  • lint:solprettier 'contracts/**/*.sol' --check && solhint 'contracts/**/*.sol'
  • lint:sol:fixprettier 'contracts/**/*.sol' --write && solhint --fix --noPrompt 'contracts/**/*.sol'
  • postinstallbash -c 'for cfg in .vscode/settings.json .vscode/extensions.json .vscode/launch.json; do cp -n ${cfg}.default ${cfg} || :; done'
  • prepackrun-s clean:artifacts:hard compile clean
  • run-allrun-s clean clean:artifacts:hard lint:fix compile docgen flatten test-p coverage
  • testhardhat test --show-stack-traces
  • test-phardhat test --parallel --show-stack-traces