PkgRadar

Package evidence

[email protected]

New Account With Lifecycle Hook: package first published 0 day(s) ago, 1 total version(s), has lifecycle hook

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published
1
First published
Jun 2026
Publisher
capillary

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"high"}'
Publishercapillary
Artifact bytes7,923,402
Previous versionnone
Published2026-06-11T06:49:19.107Z
SHA-256575a19037945a014bdf6565a841fe07b6bdcd7196e0467412a065046f3283275

Why flagged

What the scanner saw

New Account With Lifecycle Hook: package first published 0 day(s) ago, 1 total version(s), has lifecycle hook

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

high
Last checked
highRisk
5Score
1.0.23Version
Status history (1 event)
  1. newavailable · risk high · score 5 · status changed

Evidence

Static findings

2 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
highNew Account With Lifecycle Hookpackage.jsonpackage first published 0 day(s) ago, 1 total version(s), has lifecycle hook25
Show all 2 findings (low-signal and informational)
SeverityKindPathDetailPoints
highNew Account With Lifecycle Hookpackage.jsonpackage first published 0 day(s) ago, 1 total version(s), has lifecycle hook25
lowInstall-time lifecycle scriptpackage.jsonpreinstall="npm run npmcheckversion"5

Manifest

Package metadata

Scripts38
  • analyzenode ./internals/scripts/analyze.js
  • analyze:cleanrimraf stats.json
  • buildcross-env NODE_OPTIONS=--max_old_space_size=4096 NODE_ENV=production webpack --config internals/webpack/webpack.prod.babel.js --color --progress
  • build:analyzecross-env NODE_OPTIONS=--max_old_space_size=4096 NODE_ENV=production ANALYZE=true webpack --config internals/webpack/webpack.prod.babel.js --color --progress
  • build:cleanrimraf ./dist
  • build:copy-all-filesbabel-node ./scripts/copy-all-files.js
  • build:librarynpm run build:copy-all-files
  • cleanshjs ./internals/scripts/clean.js
  • clean:allnpm run analyze:clean && npm run test:clean && npm run build:clean
  • extract-intlnode ./internals/scripts/extract-intl.js
  • generateplop --plopfile internals/generators/index.js
  • lighthousenode ./internals/lighthouse
  • lintnpm run lint:js
  • lint:cssstylelint './app/**/*.js'
  • lint:eslinteslint --fix
  • lint:eslint:fixeslint --fix
  • lint:jsnpm run lint:eslint -- app
  • lint:stagedlint-staged
  • npmcheckversionnode ./internals/scripts/npmcheckversion.js
  • postbuildnpm run extract-intl && cp app/translations/en.json dist
  • preanalyzenpm run analyze:clean
  • prebuildnpm run build:clean
  • preinstallnpm run npmcheckversion
  • preparehusky install
  • presetupnpm i chalk shelljs
  • prettifyprettier --write
  • setupnode ./internals/scripts/setup.js
  • sizesize-limit
  • sonarnode ./internals/sonar
  • startcross-env NODE_ENV=development NODE_OPTIONS=--max_old_space_size=4000 node server
  • …and 8 more.
Dependencies71
  • @babel/polyfill7.0.0
  • @bugsnag/js^7.2.1
  • @bugsnag/plugin-react^7.2.1
  • @capillarytech/cap-coupons10.0.44
  • @capillarytech/cap-giftcards-ui2.0.19
  • @capillarytech/cap-promo-ui1.0.25
  • @capillarytech/cap-ui-library^8.12.64
  • @capillarytech/cap-ui-utils^3.0.11
  • @capillarytech/creatives-library8.0.19
  • @capillarytech/vulcan-react-sdk^2.2.2
  • @newrelic/browser-agent^1.293.0
  • antd3.16.2
  • axios^0.18.0
  • babel-plugin-require-context-hook^1.0.0
  • babel-plugin-transform-require-context^0.1.1
  • chalk^2.4.2
  • classnames^2.2.6
  • compression1.7.3
  • connected-react-router4.5.0
  • cross-env5.2.0
  • exports-loader^0.7.0
  • express4.16.4
  • fontfaceobserver2.0.13
  • history4.7.2
  • hoist-non-react-statics3.0.1
  • husky^8.0.3
  • immer^8.0.1
  • immutable^4.0.0-rc.12
  • intl1.2.5
  • invariant2.2.4
  • …and 41 more.