PkgRadar

Package evidence

[email protected]

New Account With Lifecycle Hook: package first published 19 day(s) ago, 3 total version(s), has lifecycle hook

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
46
Versions published
3
First published
May 2026
Publisher
bra1ndump

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"high"}'
Publisherbra1ndump
Artifact bytes12,389,425
Previous versionnone
Published2026-05-22T05:29:31.487Z
SHA-25683c63630636186f60968d5986eea3cbf6a2dbbf19417ed795205a11d1423d8a1

Why flagged

What the scanner saw

New Account With Lifecycle Hook: package first published 19 day(s) ago, 3 total version(s), has lifecycle hook

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

high
Last checked
highRisk
10Score
1.1.10-beta.6Version
Status history (1 event)
  1. newavailable · risk high · score 10 · status changed

Evidence

Static findings

6 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
highNew Account With Lifecycle Hookpackage.jsonpackage first published 19 day(s) ago, 3 total version(s), has lifecycle hook25
Show all 6 findings (low-signal and informational)
SeverityKindPathDetailPoints
highNew Account With Lifecycle Hookpackage.jsonpackage first published 19 day(s) ago, 3 total version(s), has lifecycle hook25
lowCredential file accesspackage/webapp/_expo/static/js/web/ssh-config-36ce51e4480c9cf96dd0fa1f7c820e62.jsmatched ".ssh/"5
lowInstall-time lifecycle scriptpackage.jsonpostinstall="prisma generate --schema=prisma/schema.prisma"5
lowLarge Javascript Payloadpackage/webapp/_expo/static/js/web/__common-96e2c1ac3771235f59006c43846a6717.js6450990 bytes0
lowObfuscation Densitypackage/webapp/_expo/static/js/web/flowDiagram-NV44I4VS-37687cf9a9012d50c29c1df0e285b262.jshigh encoded/escaped-token density0
lowLarge Javascript Payloadpackage/webapp/_expo/static/js/web/index-9851d10a97fa2db06628a7616e61c4f0.js7769546 bytes0

Manifest

Package metadata

Scripts18
  • buildtsc --noEmit && node scripts/build-runtime.cjs
  • build:runtimenode scripts/build-runtime.cjs
  • build:standalonebun build ./sources/standalone.ts --compile --outfile dist/happy-server --target bun && find ../../node_modules/@electric-sql/pglite/dist -name 'pglite.wasm' -exec cp {} dist/ \; && find ../../node_modules/@electric-sql/pglite/dist -name 'pglite.data' -exec cp {} dist/ \; && cp -r prisma/migrations dist/prisma/migrations
  • bundle:webappnode ../happy-cli/scripts/bundle-webapp.cjs --out-dir webapp
  • dbdocker run -d -e POSTGRES_PASSWORD=postgres -e POSTGRES_DB=handy -v $(pwd)/.pgdata:/var/lib/postgresql/data -p 5432:5432 postgres
  • devlsof -ti tcp:3005 | xargs kill -9 && tsx --env-file=.env --env-file=.env.dev ./sources/main.ts
  • generateprisma generate --schema=prisma/schema.prisma
  • migratedotenv -e .env.dev -- prisma migrate dev
  • migrate:resetdotenv -e .env.dev -- prisma migrate reset
  • postinstallprisma generate --schema=prisma/schema.prisma
  • redisdocker run -d -p 6379:6379 redis
  • s3docker run -d --name minio -p 9000:9000 -p 9001:9001 -e MINIO_ROOT_USER=minioadmin -e MINIO_ROOT_PASSWORD=minioadmin -v $(pwd)/.minio/data:/data minio/minio server /data --console-address :9001
  • s3:downdocker rm -f minio || true
  • s3:initdotenv -e .env.dev -- docker run --rm --network container:minio --entrypoint /bin/sh minio/mc -c "mc alias set local http://localhost:9000 $S3_ACCESS_KEY $S3_SECRET_KEY && mc mb -p local/$S3_BUCKET || true && mc anonymous set download local/$S3_BUCKET"
  • standalonetsx ./sources/standalone.ts
  • standalone:devtsx --env-file=.env.dev ./sources/standalone.ts migrate && tsx --env-file=.env.dev ./sources/standalone.ts serve
  • starttsx ./sources/main.ts
  • testvitest run
Dependencies36
  • @date-fns/tz^1.2.0
  • @electric-sql/pglite^0.3.15
  • @fastify/bearer-auth^10.1.1
  • @fastify/cors^10.0.1
  • @fastify/static^8.1.1
  • @prisma/client6.19.2
  • @slopus/happy-wire0.1.0
  • @socket.io/redis-streams-adapter^0.2.2
  • axios^1.6.8
  • chalk4.1.2
  • date-fns^4.1.0
  • dotenv^16.4.5
  • elevenlabs^1.54.0
  • fastify^5.2.0
  • fastify-type-provider-zod^4.0.2
  • ioredis^5.6.1
  • jsonwebtoken^9.0.2
  • minio^8.0.5
  • octokit^5.0.3
  • pglite-prisma-adapter^0.7.2
  • pino^10.3.0
  • pino-pretty^13.0.0
  • prisma6.19.2
  • prisma-json-types-generator^3.5.1
  • privacy-kit^0.0.25
  • prom-client^15.1.3
  • reflect-metadata^0.2.2
  • semver^7.7.2
  • sharp^0.34.3
  • socket.io^4.8.1
  • …and 6 more.