PkgRadar

Package evidence

@horang-labs/[email protected]

Install Lifecycle Remote Or Exec: postinstall="node -e \"const fs=require('fs'); if (fs.existsSync('.electron-runtime')) require('child_process').execFileSync('electron-builder', ['install-app-deps'], {stdio:'inherit'});\""

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
56
Versions published
8
First published
Apr 2026
Publisher
faggomsa

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@horang-labs/[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@horang-labs/[email protected]"],"fail_on":"high"}'
Publisherfaggomsa
Artifact bytes19,425,698
Previous version0.1.4
Published2026-05-12T03:26:46.838Z
SHA-256ecaa591f78f22000e07d3b390788ddc376097e9118c374642005b6710e5b5018

Why flagged

What the scanner saw

Install Lifecycle Remote Or Exec: postinstall="node -e \"const fs=require('fs'); if (fs.existsSync('.electron-runtime')) require('child_process').execFileSync('electron-builder', ['install-app-deps'], {stdio:'inherit'});\""

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

high
Last checked
highRisk
40Score
0.1.5Version
Status history (1 event)
  1. newavailable · risk high · score 40 · status changed

Evidence

Static findings

4 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
highInstall Lifecycle Remote Or Execpackage.jsonpostinstall="node -e \"const fs=require('fs'); if (fs.existsSync('.electron-runtime')) require('child_process').execFileSync('electron-builder', ['install-app-deps'], {stdio:'inherit'});\""30
mediumNew Account With Lifecycle Hookpackage.jsonpackage first published 46 day(s) ago, 8 total version(s), has lifecycle hook10
Show all 4 findings (low-signal and informational)
SeverityKindPathDetailPoints
highInstall Lifecycle Remote Or Execpackage.jsonpostinstall="node -e \"const fs=require('fs'); if (fs.existsSync('.electron-runtime')) require('child_process').execFileSync('electron-builder', ['install-app-deps'], {stdio:'inherit'});\""30
mediumNew Account With Lifecycle Hookpackage.jsonpackage first published 46 day(s) ago, 8 total version(s), has lifecycle hook10
lowCredential file accesspackage/.next/static/chunks/1003.bb94e895d06846cb.jsmatched ".ssh/"5
lowInstall-time lifecycle scriptpackage.jsonpostinstall="node -e \"const fs=require('fs'); if (fs.existsSync('.electron-runtime')) require('child_process').execFileSync('electron-builder', ['install-app-deps'], {stdio:'inherit'});\""5

Manifest

Package metadata

Scripts23
  • buildcross-env TURBOPACK= __NEXT_DEV_SERVER= __NEXT_PROCESSED_ENV= NODE_ENV=production next build --webpack
  • build:telemetrynode scripts/with-posthog-telemetry-build.mjs npm run build
  • devcross-env NODE_ENV=development tsx server.ts
  • electron:build:allnpm run electron:prebuild && electron-builder build --publish never
  • electron:build:linuxnpm run electron:prebuild && electron-builder --linux AppImage deb --x64 --publish never
  • electron:build:mac-arm64npm run electron:prebuild && electron-builder --mac --arm64 --publish never
  • electron:build:mac-arm64:signednpm run electron:prebuild && TESSERA_MAC_DISTRIBUTION=1 electron-builder --mac dmg --arm64 --publish never --config.forceCodeSigning=true --config.mac.notarize=false && node scripts/notarize-mac-dmg.cjs arm64
  • electron:build:mac-x64npm run electron:prebuild && electron-builder --mac --x64 --publish never
  • electron:build:mac-x64:signednpm run electron:prebuild && TESSERA_MAC_DISTRIBUTION=1 electron-builder --mac dmg --x64 --publish never --config.forceCodeSigning=true --config.mac.notarize=false && node scripts/notarize-mac-dmg.cjs x64
  • electron:build:mac:signednpm run electron:prebuild && TESSERA_MAC_DISTRIBUTION=1 electron-builder --mac dmg --x64 --arm64 --publish never --config.forceCodeSigning=true --config.mac.notarize=false && node scripts/notarize-mac-dmg.cjs x64 arm64
  • electron:build:winnpm run electron:prebuild && electron-builder --win portable --x64 --publish never
  • electron:build:win:telemetrynode scripts/with-posthog-telemetry-build.mjs npm run electron:build:win
  • electron:compilenode -e "require('fs').rmSync('dist-electron',{recursive:true,force:true})" && tsc -p electron/tsconfig.json
  • electron:devnpm run electron:compile && concurrently -k -n SERVER,ELECTRON -c cyan,yellow "cross-env NODE_ENV=development PORT=3100 TESSERA_ELECTRON_AUTH_BYPASS=1 npx tsx server.ts" "wait-on http://localhost:3100 && cross-env TESSERA_DEV_PORT=3100 electron dist-electron/electron/main.js"
  • electron:prebuildnpm run build && npm run electron:compile && npm run electron:prepare-runtime
  • electron:prebuild:telemetrynode scripts/with-posthog-telemetry-build.mjs npm run electron:prebuild
  • electron:prepare-runtimenode scripts/prepare-electron-runtime.mjs
  • linteslint .
  • npm:prepacknpm run build && npm run server:compile
  • postinstallnode -e "const fs=require('fs'); if (fs.existsSync('.electron-runtime')) require('child_process').execFileSync('electron-builder', ['install-app-deps'], {stdio:'inherit'});"
  • prepacknpm run npm:prepack
  • server:compilenode -e "require('fs').rmSync('dist-server',{recursive:true,force:true})" && tsc -p tsconfig.server.json
  • startcross-env NODE_ENV=production tsx server.ts
Dependencies31
  • @tanstack/react-virtual^3.13.24
  • @xterm/addon-fit^0.10.0
  • @xterm/xterm^5.5.0
  • agentation^3.0.2
  • bcryptjs^3.0.3
  • class-variance-authority^0.7.1
  • clsx^2.1.1
  • date-fns^4.1.0
  • framer-motion^12.34.0
  • i18next^25.8.13
  • jsonwebtoken^9.0.2
  • lucide-react^0.563.0
  • next^16.2.3
  • node-pty^1.1.0
  • pino^8.18.0
  • posthog-js^1.372.6
  • react^19.2.5
  • react-dom^19.2.5
  • react-i18next^16.5.4
  • react-markdown^10.1.0
  • rehype-raw^7.0.0
  • rehype-sanitize^6.0.0
  • remark-gfm^4.0.1
  • shiki^3.22.0
  • sql.js^1.14.1
  • tailwind-merge^3.4.0
  • tinykeys^3.0.0
  • uuid^9.0.1
  • ws^8.16.0
  • zod^3.22.0
  • …and 1 more.