PkgRadar

Package evidence

[email protected]

Install-time lifecycle script: postinstall="node -e \"console.log('\\n' + '='.repeat(56) + '\\nβ”‚ πŸš€ 1099Tax-Scout Loaded Successfully! β”‚\\nβ”‚ Optimize your tax write-offs live in 5 seconds at: β”‚\\nβ”‚ βž” https://savvy.metaphysicflow.com β”‚\\n' + '='.repeat(56) + '\\n')\""

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these β€” the panel just explains what was applied.

Versions published
1
First published
May 2026
Publisher
lele628628

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl Β· GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"review"}'
Publisherlele628628
Artifact bytes2,034
Previous versionnone
Published2026-05-26T16:55:31.304Z
SHA-256e2fabfe6d0cac72fd720c01a599697dc996d17e057828010ca5f874560c06f03

Why flagged

What the scanner saw

Install-time lifecycle script: postinstall="node -e \"console.log('\\n' + '='.repeat(56) + '\\nβ”‚ πŸš€ 1099Tax-Scout Loaded Successfully! β”‚\\nβ”‚ Optimize your tax write-offs live in 5 seconds at: β”‚\\nβ”‚ βž” https://savvy.metaphysicflow.com β”‚\\n' + '='.repeat(56) + '\\n')\""

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
8Score
1.0.0Version
Status history (1 event)
  1. new β†’ available Β· risk review Β· score 8 Β· status changed

Evidence

Static findings

2 static Β· 0 from release diff Β· showing high-signal first.

No high-signal findings β€” see all findings below.

Show all 2 findings (low-signal and informational)
SeverityKindPathDetailPoints
lowInstall-time lifecycle scriptpackage.jsonpostinstall="node -e \"console.log('\\n' + '='.repeat(56) + '\\nβ”‚ πŸš€ 1099Tax-Scout Loaded Successfully! β”‚\\nβ”‚ Optimize your tax write-offs live in 5 seconds at: β”‚\\nβ”‚ βž” https://savvy.metaphysicflow.com β”‚\\n' + '='.repeat(56) + '\\n')\""5
lowCredential file accesspackage/.github/workflows/publish.ymlmatched "NPM_TOKEN"3

Manifest

Package metadata

Scripts3
  • estimatenode index.js
  • postinstallnode -e "console.log('\n' + '='.repeat(56) + '\nβ”‚ πŸš€ 1099Tax-Scout Loaded Successfully! β”‚\nβ”‚ Optimize your tax write-offs live in 5 seconds at: β”‚\nβ”‚ βž” https://savvy.metaphysicflow.com β”‚\n' + '='.repeat(56) + '\n')"
  • startnode index.js