PkgRadar

Package evidence

[email protected]

Install-time lifecycle script: postinstall="echo '\\n ecc-universal installed!\\n Run: npx ecc typescript\\n Compat: npx ecc-install typescript\\n Docs: https://github.com/affaan-m/ECC\\n'"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
4,246Niche · −30% score
Versions published
8
First published
Feb 2026
Publisher
cogsec

Effective trust discount applied: 30% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"review"}'
Publishercogsec
Artifact bytes4,595,803
Previous version2.0.0-rc.1
Published2026-06-10T08:16:50.334Z
SHA-25614b1afb47e1b21041ff852d7540c07393e2c359addd7ee5e0e7889feac6673eb

Why flagged

What the scanner saw

Install-time lifecycle script: postinstall="echo '\\n ecc-universal installed!\\n Run: npx ecc typescript\\n Compat: npx ecc-install typescript\\n Docs: https://github.com/affaan-m/ECC\\n'"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
3Score
2.0.0Version
Status history (1 event)
  1. newavailable · risk review · score 3 · status changed

Evidence

Static findings

1 static · 0 from release diff · showing high-signal first.

No high-signal findings — see all findings below.

Show all 1 findings (low-signal and informational)
SeverityKindPathDetailPoints
lowInstall-time lifecycle scriptpackage.jsonpostinstall="echo '\\n ecc-universal installed!\\n Run: npx ecc typescript\\n Compat: npx ecc-install typescript\\n Docs: https://github.com/affaan-m/ECC\\n'"5

Manifest

Package metadata

Scripts28
  • build:opencodenode scripts/build-opencode.js
  • catalog:checknode scripts/ci/catalog.js --text
  • catalog:syncnode scripts/ci/catalog.js --write --text
  • clawnode scripts/claw.js
  • command-registry:checknode scripts/ci/generate-command-registry.js --check
  • command-registry:generatenode scripts/ci/generate-command-registry.js
  • command-registry:writenode scripts/ci/generate-command-registry.js --write
  • control:panenode scripts/control-pane.js
  • coveragec8 --all --include="scripts/**/*.js" --check-coverage --lines 80 --functions 80 --branches 80 --statements 80 --reporter=text --reporter=lcov node tests/run-all.js
  • dashboardpython3 ./ecc_dashboard.py
  • discussion:auditnode scripts/discussion-audit.js
  • harness:adaptersnode scripts/harness-adapter-compliance.js
  • harness:auditnode scripts/harness-audit.js
  • linteslint . && markdownlint '**/*.md' --ignore node_modules
  • observability:readynode scripts/observability-readiness.js
  • operator:dashboardnode scripts/operator-readiness-dashboard.js
  • orchestrate:statusnode scripts/orchestration-status.js
  • orchestrate:tmuxnode scripts/orchestrate-worktrees.js
  • orchestrate:workerbash scripts/orchestrate-codex-worker.sh
  • platform:auditnode scripts/platform-audit.js
  • postinstallecho '\n ecc-universal installed!\n Run: npx ecc typescript\n Compat: npx ecc-install typescript\n Docs: https://github.com/affaan-m/ECC\n'
  • prepacknpm run build:opencode
  • preview-pack:smokenode scripts/preview-pack-smoke.js
  • release:approval-gatenode scripts/release-approval-gate.js
  • release:video-suitenode scripts/release-video-suite.js
  • security:advisory-sourcesnode scripts/ci/supply-chain-advisory-sources.js
  • security:ioc-scannode scripts/ci/scan-supply-chain-iocs.js
  • testnode scripts/ci/check-unicode-safety.js && node scripts/ci/validate-agents.js && node scripts/ci/validate-commands.js && node scripts/ci/validate-rules.js && node scripts/ci/validate-skills.js && node scripts/ci/validate-hooks.js && node scripts/ci/validate-install-manifests.js && node scripts/ci/validate-no-personal-paths.js && npm run catalog:check && npm run command-registry:check && node tests/run-all.js
Dependencies3
  • @iarna/toml^2.2.5
  • ajv^8.18.0
  • sql.js^1.14.1