Package evidence

@lynox-ai/[email protected]

Install Lifecycle Remote Or Exec: postinstall="node -e \"const f='scripts/postinstall.cjs';require('node:fs').existsSync(f)&&require('node:child_process').spawnSync(process.execPath,[f],{stdio:'inherit'})\""

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads: 936
Versions published: 47
First published: Apr 2026
Publisher: brandfusion

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@lynox-ai/[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@lynox-ai/[email protected]"],"fail_on":"high"}'

Publisherbrandfusion

Artifact bytes886,075

Previous version1.7.0

Published2026-05-24T23:43:27.144Z

SHA-256b598c4d8e919f772025a506b669c019bfa13ae19d0ebae0b36d1cafaf7384959

Why flagged

What the scanner saw

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

high

3d agoLast checked

highRisk

50Score

1.7.1Version

Status history (5 events)

available → available10d ago · risk high · score 50 · status available -> available, risk high -> high, score 35 -> 50
available → available14d ago · risk high · score 35 · status available -> available, risk high -> high, score 126 -> 35
available → available19d ago · risk high · score 126 · status available -> available, risk high -> high, score 150 -> 126
available → available19d ago · risk high · score 150 · status available -> available, risk high -> high, score 396 -> 150
new → available19d ago · risk high · score 396 · status changed

Related candidates

Linked campaigns and clusters

Publisher / release actor burststale

brandfusion

2 members · evidence strength 64

Repeated static TTPstale

Install Lifecycle Suppresses Failure — prepare="lefthook install || true"

6 members · evidence strength 90

Repeated static TTPstale

Install-time lifecycle script — postinstall="node -e \"const f='scripts/postinstall.cjs';require('node:fs').existssync(f)&&require('node:child_process').spawnsync(process.execpath,[f],{stdio:'inherit'})\""

2 members · evidence strength 70

Evidence

Static findings

5 static · 0 from release diff · showing high-signal first.

Severity	Kind	Path	Detail	Points
high	Install Lifecycle Remote Or Exec	package.json	postinstall="node -e \"const f='scripts/postinstall.cjs';require('node:fs').existsSync(f)&&require('node:child_process').spawnSync(process.execPath,[f],{stdio:'inherit'})\""	30

Show all 5 findings (low-signal and informational)

Severity	Kind	Path	Detail	Points
high	Install Lifecycle Remote Or Exec	package.json	postinstall="node -e \"const f='scripts/postinstall.cjs';require('node:fs').existsSync(f)&&require('node:child_process').spawnSync(process.execPath,[f],{stdio:'inherit'})\""	30
low	Credential file access	package/dist/server/http-api.js	matched "AWS_ACCESS_KEY"	5
low	Credential file access	package/dist/core/llm-client.js	matched "GOOGLE_APPLICATION_CREDENTIALS"	5
low	Credential file access	package/dist/core/vertex-oauth.js	matched "GOOGLE_APPLICATION_CREDENTIALS"	5
low	Install-time lifecycle script	package.json	postinstall="node -e \"const f='scripts/postinstall.cjs';require('node:fs').existsSync(f)&&require('node:child_process').spawnSync(process.execPath,[f],{stdio:'inherit'})\""	5

Manifest

Package metadata

Scripts16

benchvitest bench --config vitest.bench.config.ts
bench:onlinevitest bench --config vitest.bench.config.ts tests/performance/online/
buildtsc
coveragevitest run --coverage
devnode --env-file=.env --watch --import tsx src/index.ts
linteslint src/
postinstallnode -e "const f='scripts/postinstall.cjs';require('node:fs').existsSync(f)&&require('node:child_process').spawnSync(process.execPath,[f],{stdio:'inherit'})"
prepackfind dist -name '*.js.map' -o -name '*.d.ts.map' | xargs rm -f
preparelefthook install || true
prepublishOnlynpm run build
securitysh scripts/security-scan.sh && vitest run tests/security/
smoke:localbash scripts/smoke-local.sh
startnode dist/index.js
testvitest run
test:watchvitest
typechecktsc --noEmit

Dependencies13

@anthropic-ai/sdk^0.96.0
@huggingface/transformers^4.2.0
@mozilla/readability^0.6.0
@rolldown/binding-darwin-arm641.0.1
@sentry/node^10.46.0
better-sqlite3^12.6.2
email-reply-parser^2.3.5
iconv-lite^0.7.2
imapflow^1.0.181
linkedom^0.18.12
nodemailer^8.0.7
web-push^3.6.7
zod^4.3.6