Package evidence

@mountainpass/[email protected]

Install-time lifecycle script: postinstall="npm run requirements-check"

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@mountainpass/[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@mountainpass/[email protected]"],"fail_on":"high"}'

Publishertompahoward

Artifact bytes284,608

Previous version2.6.12

Published2026-05-24T21:39:25.242Z

SHA-256d8a16be2b600bde1e06433ee707a15858564d510174fa0d34de57b6105aab271

Why flagged

What the scanner saw

Install-time lifecycle script: postinstall="npm run requirements-check"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

high

19d agoLast checked

highRisk

30Score

2.6.13Version

Status history (2 events)

available → available19d ago · risk high · score 30 · status available -> available, risk high -> high, score 64 -> 30
new → available20d ago · risk high · score 64 · status changed

Related candidates

Linked campaigns and clusters

Publisher / release actor burststale

tompahoward

5 members · evidence strength 76

Repeated static TTPstale

Install-time lifecycle script — postinstall="npm run requirements-check"

5 members · evidence strength 82

Evidence

Static findings

1 static · 0 from release diff · showing high-signal first.

Severity	Kind	Path	Detail	Points
high	Install-time lifecycle script	package.json	postinstall="npm run requirements-check"	30

Manifest

Package metadata

Scripts118

add-changesetchangeset add --open
buildbabel . --ignore ./LICENSE.template.md --ignore node_modules --ignore test --ignore lib --ignore cucumber.js --ignore scripts -d lib
build:dockerdocker build --build-arg PACKAGE_TGZ=mountainpass-addressr-${npm_package_version}.tgz --build-arg PACKAGE=${npm_package_name} --build-arg VERSION=${npm_package_version} --build-arg MAINTAINER=${npm_package_author_email} -t mountainpass/addressr:${npm_package_version} -t mountainpass/addressr:latest .
build:workeresbuild deploy/cloudflare-worker/worker.js --bundle --format=esm --outfile=deploy/cloudflare-worker/worker.bundled.js
check-depsdry-aged-deps --check
check-licenseslicense-checker --production --onlyAllow 'MIT;Apache-2.0;ISC;Custom: http://github.com/substack/node-bufferlist;Unlicense;BSD-2-Clause;BSD-3-Clause;WTFPL;0BSD;MIT*;Python-2.0;MPL-2.0;BlueOak-1.0.0' --summary
check:not-cli2-tagsnode scripts/check-not-cli2-tags.mjs
ci:publish[ "$CI" = true ] && changeset publish || echo "Dry run: changeset publish"
ci:version[ "$CI" = true ] && changeset version || echo "Dry run: changeset version"
cover:cli:geonyc --report-dir coverage/cli --temp-dir coverage/cli/.nyc_output npm run test:cli:nogeo
cover:cli:nogeonyc --report-dir coverage/cli --temp-dir coverage/cli/.nyc_output npm run test:cli:nogeo
cover:nodejs:geonyc --report-dir coverage/nodejs-geo --temp-dir coverage/nodejs-geo/.nyc_output npm run test:nodejs:geo
cover:nodejs:nogeonyc --report-dir coverage/nodejs --temp-dir coverage/nodejs/.nyc_output npm run test:nodejs:nogeo
cover:rest:geonyc --report-dir coverage/rest-geo --temp-dir coverage/rest-geo/.nyc_output npm run test:rest:geo
cover:rest:nogeonyc --report-dir coverage/rest --temp-dir coverage/rest/.nyc_output npm run test:rest:nogeo
deploy:proddeploy/deploy.sh
deploy:testdeploy/deploy.sh
docker:pushdocker push "mountainpass/addressr:${npm_package_version}"
dopublishnpm publish mountainpass-addressr-${npm_package_version}.tgz --access public
dotest:cli2:geoADDRESSR_ENABLE_GEO=1 ES_INDEX_NAME=test COVERED_STATES=OT TEST_PROFILE=cli2 cucumber-js -p cli2 -- --harmony_async_iteration
dotest:cli2:nogeoES_INDEX_NAME=test COVERED_STATES=OT TEST_PROFILE=cli2 cucumber-js -p cli2 -- --harmony_async_iteration
dotest:cli:nogeoES_INDEX_NAME=test COVERED_STATES=OT TEST_PROFILE=cli cucumber-js -p cli -- --harmony_async_iteration
gen-install-cmdecho "#!/bin/sh npm install -g ${npm_package_name}@${npm_package_version}" > install.sh
genversiongenversion --es6 --semi version.js
hmmecho mountainpass-addressr-${npm_package_version}.tgz
linteslint . --fix
npm-checknpm-check --skip-unused
npm-check-unusednpm-check
npm-check:interactivenpm-check --skip-unused -u
postbuildcp -r api lib/.
…and 88 more.

Dependencies21

@changesets/cli^2.26.2
@mountainpass/waycharter^2.0.30
@opensearch-project/opensearch^3.5.1
debug^4.1.1
directory-exists^2.0.1
dotenv^10.0.0
express^4.17.1
glob^13.0.6
http-link-header^1.1.3
js-yaml^4.1.1
json-ptr^3.1.1
keyv^5.6.0
keyv-file^5.3.3
node-machine-id^1.1.12
papaparse^5.0.0
progress^2.0.3
semver^7.3.2
swagger-tools^0.10.4
unzip-stream^0.3.0
uri-template-lite^23.4.0
wait-port^1.1.0