Package evidence
@box/[email protected]
Install-time lifecycle script: postinstall="rm -rf ./node_modules/@github/keytar/build"
Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Weekly downloads
- 1,232Niche · −30% score
- Versions published
- 51Mature · −50% score
- First published
- Dec 2018
- Publisher
- box-npm
Effective trust discount applied: −50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Block this updateStatic evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["@box/[email protected]"],"fail_on":"high"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["@box/[email protected]"],"fail_on":"high"}'Why flagged
What the scanner saw
New Lifecycle Script Vs Previous: postinstall added in 4.9.0 vs 4.8.2: "rm -rf ./node_modules/@github/keytar/build"
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk high · score 45 · status changed
Evidence
Static findings
2 static · 1 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | New Lifecycle Script Vs Previous | package.json | postinstall added in 4.9.0 vs 4.8.2: "rm -rf ./node_modules/@github/keytar/build" | 40 |
Show all 3 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | New Lifecycle Script Vs Previous | package.json | postinstall added in 4.9.0 vs 4.8.2: "rm -rf ./node_modules/@github/keytar/build" | 40 |
| low | Install-time lifecycle script | package.json | postinstall="rm -rf ./node_modules/@github/keytar/build" | 5 |
| low | Obfuscation Density | package/npm-shrinkwrap.json | high encoded/escaped-token density | 0 |
Manifest
Package metadata
Scripts15
buildoclif pack:macos && rm -rf tmp/ && oclif pack:win && rm -rf tmp/build:tarballsoclif pack:tarballs --no-xz --parallelchangelognode node_modules/standard-version/bin/cli.js --skip.commit --skip.push --skip.tag --dry-runcleanfind src/ -type d -name 'dist' -exec rm -rf {} +licensegenerate-license-file --overwritelinteslint --fix ./src ./testpostinstallrm -rf ./node_modules/@github/keytar/buildpostpackrm -f oclif.manifest.json && rm -f npm-shrinkwrap.json && npm installposttestnpm run lintprepacknpm run shrinkwrap && oclif manifest && npm run updatemdprettierprettier --write "**/*.{js,json}"shrinkwraprm -rf ./node_modules ; rm package-lock.json npm-shrinkwrap.json ; npm shrinkwrap --omit=dev ; npm installtestnyc mocha "test/**/*.test.js"updatemdoclif readme --multi && find docs -type f -name '*.md' -exec sed -i '' 's/\.ts/\.js/g' {} +versionnpm run updatemd && npm run prettier && npm run license && git add .
Dependencies29
@discoveryjs/json-ext^0.5.7@github/keytar^7.10.6@oclif/core^4.8.0@oclif/plugin-autocomplete^3.2.39@oclif/plugin-help^6.2.36@oclif/plugin-not-found^3.2.73@oclif/plugin-update3.2.4@oclif/plugin-version^2.2.36@oclif/table^0.5.8@octokit/rest^22.0.0archiver^8.0.0box-node-sdk^4.11.1chalk^2.4.1cli-progress^2.1.0csv^6.3.3date-fns^1.29.0debug^4.4.0express^4.22.1fs-extra^10.1.0inquirer^8.2.7js-yaml^4.1.1keychain^1.5.0lodash^4.17.13mkdirp^3.0.1nanoid^3.3.8open^10.1.0ora^5.4.1p-event^2.3.1semver^7.7.3