PkgRadar

Package evidence

@vectrion/[email protected]

Install Lifecycle Remote Or Exec: postinstall="node -e \"console.log('\\x1b[32m%s\\x1b[0m', ' πŸš€ Thanks for installing Vectrion! For guides and API docs, visit: https://vectrion.vercel.app/\\\\n Happy coding! πŸ’»βœ¨')\""

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these β€” the panel just explains what was applied.

Versions published
2
First published
May 2026
Publisher
adi15jain

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Inspect tarballAdd to CI gate
Block this release in CIcurl Β· GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@vectrion/[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@vectrion/[email protected]"],"fail_on":"high"}'
Publisheradi15jain
Artifact bytes4,246
Previous version0.1.0
Published2026-05-27T20:39:16.164Z
SHA-25687340328785216658266b0d6a6a1d47302f29e8b773b93e86b90c78dbf251ca5

Why flagged

What the scanner saw

New Lifecycle Script Vs Previous: postinstall added in 0.1.1 vs 0.1.0: "node -e \"console.log('\\x1b[32m%s\\x1b[0m', ' πŸš€ Thanks for installing Vectrion! For guides and API docs, visit: https://vectrion.vercel.app/\\\\n Happy coding! πŸ’»βœ¨')\""

1 candidate cluster(s) currently reference this release.

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

high
Last checked
highRisk
75Score
0.1.1Version
Status history (2 events)
  1. available β†’ available Β· risk high Β· score 75 Β· status available -> available, risk high -> high, score 45 -> 75
  2. new β†’ available Β· risk high Β· score 45 Β· status changed

Related candidates

Linked campaigns and clusters

Publisher / release actor burstactive

adi15jain

6 members Β· evidence strength 70
Publisher / release actor burstcandidate

adi15jain

6 members Β· max score 75

Evidence

Static findings

3 static Β· 1 from release diff Β· showing high-signal first.

SeverityKindPathDetailPoints
highNew Lifecycle Script Vs Previouspackage.jsonpostinstall added in 0.1.1 vs 0.1.0: "node -e \"console.log('\\x1b[32m%s\\x1b[0m', ' πŸš€ Thanks for installing Vectrion! For guides and API docs, visit: https://vectrion.vercel.app/\\\\n Happy coding! πŸ’»βœ¨')\""40
highInstall Lifecycle Remote Or Execpackage.jsonpostinstall="node -e \"console.log('\\x1b[32m%s\\x1b[0m', ' πŸš€ Thanks for installing Vectrion! For guides and API docs, visit: https://vectrion.vercel.app/\\\\n Happy coding! πŸ’»βœ¨')\""30
highNew Account With Lifecycle Hookpackage.jsonpackage first published 14 day(s) ago, 2 total version(s), has lifecycle hook25
Show all 4 findings (low-signal and informational)
SeverityKindPathDetailPoints
highNew Lifecycle Script Vs Previouspackage.jsonpostinstall added in 0.1.1 vs 0.1.0: "node -e \"console.log('\\x1b[32m%s\\x1b[0m', ' πŸš€ Thanks for installing Vectrion! For guides and API docs, visit: https://vectrion.vercel.app/\\\\n Happy coding! πŸ’»βœ¨')\""40
highInstall Lifecycle Remote Or Execpackage.jsonpostinstall="node -e \"console.log('\\x1b[32m%s\\x1b[0m', ' πŸš€ Thanks for installing Vectrion! For guides and API docs, visit: https://vectrion.vercel.app/\\\\n Happy coding! πŸ’»βœ¨')\""30
highNew Account With Lifecycle Hookpackage.jsonpackage first published 14 day(s) ago, 2 total version(s), has lifecycle hook25
lowInstall-time lifecycle scriptpackage.jsonpostinstall="node -e \"console.log('\\x1b[32m%s\\x1b[0m', ' πŸš€ Thanks for installing Vectrion! For guides and API docs, visit: https://vectrion.vercel.app/\\\\n Happy coding! πŸ’»βœ¨')\""5

Manifest

Package metadata

Scripts4
  • buildtsup
  • linteslint src/**/*.ts
  • postinstallnode -e "console.log('\x1b[32m%s\x1b[0m', ' πŸš€ Thanks for installing Vectrion! For guides and API docs, visit: https://vectrion.vercel.app/\\n Happy coding! πŸ’»βœ¨')"
  • typechecktsc --noEmit
Dependencies3
  • @vectrion/shared0.1.1
  • @vectrion/types0.1.1
  • zod^3.22.4