PkgRadar

Package evidence

@shareai-lab/[email protected]

Install Lifecycle Suppresses Failure: postinstall="node scripts/postinstall.js || true"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published
68Established · −30% score
First published
Aug 2025
Publisher
im10durry

Effective trust discount applied: 30% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@shareai-lab/[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@shareai-lab/[email protected]"],"fail_on":"high"}'
Publisherim10durry
Artifact bytes1,347,736
Previous version2.2.0
Published2026-06-05T12:21:44.755Z
SHA-25626979190fed850c0811d81e40bc4cce6402a7b2872ccc39a36c37be94e77df4a

Why flagged

What the scanner saw

New Lifecycle Script Vs Previous: postinstall added in 2.2.1 vs 2.2.0: "node scripts/postinstall.js || true"

1 candidate cluster(s) currently reference this release.

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

high
Last checked
highRisk
75Score
2.2.1Version
Status history (1 event)
  1. newavailable · risk high · score 75 · status changed

Related candidates

Linked campaigns and clusters

Repeated static TTPactive

Install Lifecycle Suppresses Failure — postinstall="node scripts/postinstall.js || true"

49 members · evidence strength 85
Repeated static TTPcandidate

Install Lifecycle Suppresses Failure — postinstall="node scripts/postinstall.js || true"

49 members · max score 75

Evidence

Static findings

5 static · 1 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
highNew Lifecycle Script Vs Previouspackage.jsonpostinstall added in 2.2.1 vs 2.2.0: "node scripts/postinstall.js || true"40
highInstall Lifecycle Suppresses Failurepackage.jsonpostinstall="node scripts/postinstall.js || true"20
Show all 6 findings (low-signal and informational)
SeverityKindPathDetailPoints
highNew Lifecycle Script Vs Previouspackage.jsonpostinstall added in 2.2.1 vs 2.2.0: "node scripts/postinstall.js || true"40
highInstall Lifecycle Suppresses Failurepackage.jsonpostinstall="node scripts/postinstall.js || true"20
lowCredential file accesspackage/dist/chunk-4JIIEBCG.jsmatched ".npmrc"5
lowCredential file accesspackage/dist/chunk-Y4KYTBFR.jsmatched ".ssh/"5
lowInstall-time lifecycle scriptpackage.jsonpostinstall="node scripts/postinstall.js || true"5
lowObfuscation Densitypackage/dist/chunk-SGWA46IL.jshigh encoded/escaped-token density0

Manifest

Package metadata

Scripts21
  • bench:startupbun run scripts/bench-startup.mjs
  • buildbun run build:npm
  • build:binarybun run scripts/build-binary.mjs
  • build:npmbun run scripts/build.mjs
  • cleanbun run scripts/clean.mjs
  • devbun run ./src/entrypoints/cli.tsx --verbose
  • formatprettier --write "src/**/*.{ts,tsx,js,jsx,json}" "tests/**/*.{ts,tsx,js,jsx,json}"
  • format:checkprettier --check "src/**/*.{ts,tsx,js,jsx,json}" "tests/**/*.{ts,tsx,js,jsx,json}"
  • linteslint . --ext .ts,.tsx,.js --max-warnings 0
  • lint:fixeslint . --ext .ts,.tsx,.js --fix
  • parity:referencebun run scripts/reference-parity-check.mjs
  • postinstallnode scripts/postinstall.js || true
  • preparebun run scripts/install-hooks.mjs
  • prepublishOnlybun run build:npm && bun run scripts/prepublish-check.js
  • publish:devbun run scripts/publish-dev.js
  • publish:releasebun run scripts/publish-release.js
  • testbun test
  • test:e2ebun test tests/e2e
  • test:integrationbun test tests/integration
  • test:unitbun test tests/unit
  • typechecktsc --noEmit
Dependencies52
  • @anthropic-ai/bedrock-sdk^0.12.6
  • @anthropic-ai/sdk^0.39.0
  • @anthropic-ai/vertex-sdk^0.7.0
  • @aws-sdk/client-bedrock-runtime3.797.0
  • @commander-js/extra-typings^13.1.0
  • @inkjs/ui^2.0.0
  • @modelcontextprotocol/sdk^1.15.1
  • @types/lodash-es^4.17.12
  • @types/react^19.1.8
  • @vscode/ripgrep^1.17.0
  • ajv^8.17.1
  • ansi-escapes^7.0.0
  • chalk^5.4.1
  • cli-highlight^2.1.11
  • cli-table3^0.6.5
  • commander^13.1.0
  • debug^4.4.1
  • diff^7.0.0
  • dotenv^16.6.1
  • env-paths^3.0.0
  • fflate^0.8.2
  • figures^6.1.0
  • glob^11.0.3
  • gray-matter^4.0.3
  • highlight.js^11.11.1
  • ignore^7.0.5
  • ink5.2.1
  • ink-link^4.1.0
  • ink-select-input^6.2.0
  • ink-text-input^6.0.0
  • …and 22 more.