PkgRadar

Package evidence

[email protected]

Install-time lifecycle script: postinstall="node scripts/postinstall.cjs"

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"high"}'
Publishertype-delta
Artifact bytes209,254
Previous version0.4.4
Published2026-05-24T11:23:24.744Z
SHA-256ddf7aa94ee2d766cadacb4a3e21136055e5aa118910dbd76a01396f0da8906d7

Why flagged

What the scanner saw

Install-time lifecycle script: postinstall="node scripts/postinstall.cjs"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

high
Last checked
highRisk
36Score
0.4.5Version
Status history (2 events)
  1. availableavailable · risk high · score 36 · status available -> available, risk high -> high, score 60 -> 36
  2. newavailable · risk high · score 60 · status changed

Related candidates

Linked campaigns and clusters

Publisher / release actor burststale

type-delta

2 members · evidence strength 56

Evidence

Static findings

3 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
highInstall-time lifecycle scriptpackage.jsonpostinstall="node scripts/postinstall.cjs"30
Show all 3 findings (low-signal and informational)
SeverityKindPathDetailPoints
highInstall-time lifecycle scriptpackage.jsonpostinstall="node scripts/postinstall.cjs"30
lowObfuscationpackage/dist/workers/generic.worker.min.jsmatched "eval("3
lowObfuscationpackage/dist/index.jsmatched "\\uFE0F"3

Manifest

Package metadata

Scripts18
  • bench:git-configbun run ./test/benchmarks/git-config.bench.ts
  • bench:litedentbun run ./test/benchmarks/litedent.bench.ts
  • bench:strwrapbun run ./test/benchmarks/tools/strwrap.bench.js
  • buildbun run transpile-esm && bun build ./src/index.ts --outfile=./bin/gdx --compile --bytecode --production --keep-names
  • checkbun run ts-check && bun run lint && bun run build
  • dummy-editorbun ./scripts/dummyEditor.mjs
  • lintbun run ts-check && eslint src --ext .ts -c eslint.config.ts --fix
  • package:nodebun run transpile-esm && bun build ./src/index.ts --outdir=./dist --target=node --external=keytar --external=cspell-lib --external=@shikijs/cli --external=yaml --external=openai --external=fflate --format=esm --production --keep-names && bun build ./src/workers/generic.worker.ts --outfile=./dist/workers/generic.worker.min.js --target=node --external=@shikijs/cli --format=esm --production --minify --keep-names
  • postinstallnode scripts/postinstall.cjs
  • prepackbun run package:node
  • prepare-devbun i && bun run transpile-esm
  • prettierprettier --write "src/**/*.ts" "test/**/*.ts" "./*.md"
  • startbun run src/index.ts
  • start:nodetsx src/index.ts
  • start:profilebun --cpu-prof src/index.ts
  • testbun test
  • transpile-esmbunx tsc -p lib/tsconfig.json && bun run scripts/transform-tools.mjs
  • ts-checkbunx tsc --noEmit
Dependencies7
  • @shikijs/cli^4.1.0
  • cspell-lib10.0.0
  • diff^9.0.0
  • fflate^0.8.3
  • keytar^7.9.0
  • openai^6.38.0
  • yaml^2.9.0