Package evidence

[email protected]

New Account With Lifecycle Hook: package first published 19 day(s) ago, 3 total version(s), has lifecycle hook

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published: 3
First published: May 2026
Publisher: bra1ndump

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"high"}'

Publisherbra1ndump

Artifact bytes12,457,070

Previous version1.1.10

Published2026-06-10T12:19:51.156Z

SHA-256231f254a91305c6d0a0742337ded7e82840b276fccf9d60236dcd13a0950e61c

Why flagged

What the scanner saw

New Account With Lifecycle Hook: package first published 19 day(s) ago, 3 total version(s), has lifecycle hook

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

high

35h agoLast checked

highRisk

10Score

1.1.11Version

Status history (1 event)

new → available35h ago · risk high · score 10 · status changed

Evidence

Static findings

6 static · 0 from release diff · showing high-signal first.

Severity	Kind	Path	Detail	Points
high	New Account With Lifecycle Hook	package.json	package first published 19 day(s) ago, 3 total version(s), has lifecycle hook	25

Show all 6 findings (low-signal and informational)

Severity	Kind	Path	Detail	Points
high	New Account With Lifecycle Hook	package.json	package first published 19 day(s) ago, 3 total version(s), has lifecycle hook	25
low	Credential file access	package/webapp/_expo/static/js/web/ssh-config-7e20085fb7c5cc692f2c5df20bbe87d2.js	matched ".ssh/"	5
low	Install-time lifecycle script	package.json	postinstall="prisma generate --schema=prisma/schema.prisma"	5
low	Large Javascript Payload	package/webapp/_expo/static/js/web/__common-d89478243c84e97dd0f6d0a0cbe8cbe8.js	6450990 bytes	0
low	Obfuscation Density	package/webapp/_expo/static/js/web/flowDiagram-NV44I4VS-026786f03aeacaa7fcd809242c6cd3b8.js	high encoded/escaped-token density	0
low	Large Javascript Payload	package/webapp/_expo/static/js/web/index-a739446afee642fd9b908e94a3d1cd1a.js	8129376 bytes	0

Manifest

Package metadata

Scripts19

buildpnpm run typecheck && node scripts/build-runtime.cjs
build:runtimenode scripts/build-runtime.cjs
build:standalonebun build ./sources/standalone.ts --compile --outfile dist/happy-server --target bun && find ../../node_modules/@electric-sql/pglite/dist -name 'pglite.wasm' -exec cp {} dist/ \; && find ../../node_modules/@electric-sql/pglite/dist -name 'pglite.data' -exec cp {} dist/ \; && cp -r prisma/migrations dist/prisma/migrations
bundle:webappnode ../happy-cli/scripts/bundle-webapp.cjs --out-dir webapp
dbdocker run -d -e POSTGRES_PASSWORD=postgres -e POSTGRES_DB=handy -v $(pwd)/.pgdata:/var/lib/postgresql/data -p 5432:5432 postgres
devlsof -ti tcp:3005 | xargs kill -9 && tsx --env-file=.env --env-file=.env.dev ./sources/main.ts
generateprisma generate --schema=prisma/schema.prisma
migratedotenv -e .env.dev -- prisma migrate dev
migrate:resetdotenv -e .env.dev -- prisma migrate reset
postinstallprisma generate --schema=prisma/schema.prisma
redisdocker run -d -p 6379:6379 redis
s3docker run -d --name minio -p 9000:9000 -p 9001:9001 -e MINIO_ROOT_USER=minioadmin -e MINIO_ROOT_PASSWORD=minioadmin -v $(pwd)/.minio/data:/data minio/minio server /data --console-address :9001
s3:downdocker rm -f minio || true
s3:initdotenv -e .env.dev -- docker run --rm --network container:minio --entrypoint /bin/sh minio/mc -c "mc alias set local http://localhost:9000 $S3_ACCESS_KEY $S3_SECRET_KEY && mc mb -p local/$S3_BUCKET || true && mc anonymous set download local/$S3_BUCKET"
standalonetsx ./sources/standalone.ts
standalone:devtsx --env-file=.env.dev ./sources/standalone.ts migrate && tsx --env-file=.env.dev ./sources/standalone.ts serve
starttsx ./sources/main.ts
testvitest run
typechecktsc --noEmit

Dependencies36

@date-fns/tz^1.2.0
@electric-sql/pglite^0.3.15
@fastify/bearer-auth^10.1.1
@fastify/cors^10.0.1
@fastify/static^8.1.1
@prisma/client6.19.2
@slopus/happy-wire0.1.0
@socket.io/redis-streams-adapter^0.2.2
axios^1.6.8
chalk4.1.2
date-fns^4.1.0
dotenv^16.4.5
elevenlabs^1.54.0
fastify^5.2.0
fastify-type-provider-zod^6.1.0
ioredis^5.6.1
jsonwebtoken^9.0.2
minio^8.0.5
octokit^5.0.3
pglite-prisma-adapter^0.7.2
pino^10.3.0
pino-pretty^13.0.0
prisma6.19.2
prisma-json-types-generator^3.5.1
privacy-kit^0.0.25
prom-client^15.1.3
reflect-metadata^0.2.2
semver^7.7.2
sharp^0.34.3
socket.io^4.8.1
…and 6 more.