Package evidence

@mmmbuto/[email protected]

Install Lifecycle Suppresses Failure: postinstall="node scripts/postinstall.cjs || true"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads: 428
Versions published: 47Established · −30% score
First published: Dec 2025
Publisher: dionanos

Effective trust discount applied: −30% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@mmmbuto/[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@mmmbuto/[email protected]"],"fail_on":"high"}'

Publisherdionanos

Artifact bytes20,095,147

Previous version0.38.3-termux

Published2026-04-30T13:27:45.744Z

SHA-256f604607743c000e23c386ee5747da7d6ffac125df497ac6448b71a5a5ab767da

Why flagged

What the scanner saw

Install Lifecycle Suppresses Failure: postinstall="node scripts/postinstall.cjs || true"

1 candidate cluster(s) currently reference this release.

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

high

8h agoLast checked

highRisk

21Score

0.40.0-termuxVersion

Status history (1 event)

new → available8h ago · risk high · score 21 · status changed

Related candidates

Linked campaigns and clusters

Repeated static TTPactive

Install Lifecycle Suppresses Failure — postinstall="node scripts/postinstall.cjs || true"

120 members · evidence strength 83

Repeated static TTPcandidate

Install Lifecycle Suppresses Failure — postinstall="node scripts/postinstall.cjs || true"

120 members · max score 65

Evidence

Static findings

11 static · 0 from release diff · showing high-signal first.

Severity	Kind	Path	Detail	Points
high	Install Lifecycle Suppresses Failure	package.json	postinstall="node scripts/postinstall.cjs \|\| true"	20

Show all 11 findings (low-signal and informational)

Severity	Kind	Path	Detail	Points
high	Install Lifecycle Suppresses Failure	package.json	postinstall="node scripts/postinstall.cjs \|\| true"	20
low	Credential file access	package/bundle/gemini.js	matched "GOOGLE_APPLICATION_CREDENTIALS"	5
low	Install-time lifecycle script	package.json	postinstall="node scripts/postinstall.cjs \|\| true"	5
low	Large Javascript Payload	package/bundle/chunk-2XROOV4Y.js	3149170 bytes	0
low	Large Javascript Payload	package/bundle/chunk-7AH6L7YC.js	14804109 bytes	0
low	Large Javascript Payload	package/bundle/chunk-ERQL5TOU.js	3149170 bytes	0
low	Large Javascript Payload	package/bundle/chunk-F65HMOCO.js	14804336 bytes	0
low	Large Javascript Payload	package/bundle/chunk-FMFP43IQ.js	3149138 bytes	0
low	Large Javascript Payload	package/bundle/chunk-VLF26OPD.js	14804336 bytes	0
low	Large Javascript Payload	package/bundle/chunk-ZQ4DCRFM.js	3149138 bytes	0
low	Large Javascript Payload	package/bundle/bundled/chrome-devtools-mcp.mjs	11625049 bytes	0

Manifest

Package metadata

Scripts52

authnpm run auth:npm && npm run auth:docker
auth:dockergcloud auth configure-docker us-west1-docker.pkg.dev
auth:npmnpx google-artifactregistry-auth
buildnode scripts/build.js
build-and-startnpm run build && npm run start --
build:allnpm run build && npm run build:sandbox && npm run build:vscode
build:binarynode scripts/build_binary.js
build:packagesnpm run build --workspaces
build:sandboxnode scripts/build_sandbox.js
build:vscodenode scripts/build_vscode_companion.js
bundlenpm run generate && npm run build --workspace=@google/gemini-cli-devtools && npm run bundle:browser-mcp -w @google/gemini-cli-core && node esbuild.config.js && node scripts/copy_bundle_assets.js
check:lockfilenode scripts/check-lockfile.js
cleannode scripts/clean.js
debugcross-env DEBUG=1 node --inspect-brk scripts/start.js
deflakenode scripts/deflake.js
deflake:test:integration:sandbox:dockernpm run deflake -- --command="npm run test:integration:sandbox:docker -- --retry=0"
deflake:test:integration:sandbox:nonenpm run deflake -- --command="npm run test:integration:sandbox:none -- --retry=0"
docs:keybindingstsx ./scripts/generate-keybindings-doc.ts
docs:settingstsx ./scripts/generate-settings-doc.ts
formatprettier --experimental-cli --write .
generatenode scripts/generate-git-commit-info.js
lintcross-env NODE_OPTIONS="--max-old-space-size=8192" eslint . --cache --max-warnings 0
lint:allnode scripts/lint.js
lint:cinpm run lint:all
lint:fixeslint . --fix --ext .ts,.tsx && eslint integration-tests --fix && eslint scripts --fix && npm run format
postinstallnode scripts/postinstall.cjs || true
posttestnpm run build
pre-commitnode scripts/pre-commit.js
predocs:settingsnpm run build --workspace @google/gemini-cli-core
preflightnpm run clean && npm ci && npm run format && npm run build && npm run lint:ci && npm run typecheck && npm run test:ci
…and 22 more.

Dependencies7

@mmmbuto/pty-termux-utils^1.1.4
inknpm:@jrichman/[email protected]
latest-version^9.0.0
proper-lockfile^4.1.2
punycode^2.3.1
read-package-up^12.0.0
simple-git^3.28.0

Optional dependencies1

@esbuild/android-arm64^0.27.1