Package evidence
@junghanacs/[email protected]
Install-time lifecycle script: postinstall="node scripts/postinstall-chmod.cjs"
Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Versions published
- 10
- First published
- May 2026
- Publisher
- junghanacs
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["@junghanacs/[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["@junghanacs/[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Install-time lifecycle script: postinstall="node scripts/postinstall-chmod.cjs"
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 5 · status changed
Evidence
Static findings
1 static · 0 from release diff · showing high-signal first.
No high-signal findings — see all findings below.
Show all 1 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| low | Install-time lifecycle script | package.json | postinstall="node scripts/postinstall-chmod.cjs" | 5 |
Manifest
Package metadata
Scripts30
checkpnpm lint && pnpm typecheck && pnpm check:plugins && ./run.sh check-mcp && ./run.sh check-shell-quote && ./run.sh check-entwurf-session-identity && ./run.sh check-plugin-empty-final-recovery && ./run.sh check-plugin-prompt-format && ./run.sh check-async-resume-gate && ./run.sh check-package-source-routing && ./run.sh check-model-lock && ./run.sh check-models && ./run.sh check-backends && ./run.sh check-registration && ./run.sh check-dep-versions && ./run.sh check-auth-boundary && ./run.sh check-sdk-surface && ./run.sh verify-transcript-poison && ./run.sh check-packcheck-async-resume-gate./run.sh check-async-resume-gatecheck-auth-boundary./run.sh check-auth-boundarycheck-backends./run.sh check-backendscheck-claude-sessions./run.sh check-claude-sessionscheck-dep-versions./run.sh check-dep-versionscheck-entwurf-session-identity./run.sh check-entwurf-session-identitycheck-mcp./run.sh check-mcpcheck-model-lock./run.sh check-model-lockcheck-models./run.sh check-modelscheck-pack./run.sh check-packcheck-pack-install./run.sh check-pack-installcheck-package-source-routing./run.sh check-package-source-routingcheck-registration./run.sh check-registrationcheck-sdk-surface./run.sh check-sdk-surfacecheck-shell-quote./run.sh check-shell-quotecheck:pluginspnpm -r --filter "./plugins/*" run checkformatbiome check --write .lintbiome check .postinstallnode scripts/postinstall-chmod.cjssetup./run.sh setupsmoke./run.sh smokesmoke-all./run.sh smoke-allsmoke-async-resume./run.sh smoke-async-resumesmoke-claude./run.sh smoke-claudesmoke-codex./run.sh smoke-codexsmoke-gemini./run.sh smoke-geminitest:packpnpm run check-pack && pnpm run check-pack-installtypechecktsc --noEmit && tsc -p mcp/tsconfig.json && tsc -p scripts/tsconfig.jsonverify-transcript-poison./run.sh verify-transcript-poison
Dependencies6
@agentclientprotocol/claude-agent-acp0.39.0@agentclientprotocol/sdk0.22.1@anthropic-ai/sdk0.100.1@modelcontextprotocol/sdk^1.12.1@zed-industries/codex-acp0.15.0zod^3.25.0 || ^4.0.0