Package evidence
[email protected]
New Account With Lifecycle Hook: package first published 0 day(s) ago, 1 total version(s), has lifecycle hook
Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Versions published
- 1
- First published
- Jun 2026
- Publisher
- gagesgr
Recommended action
Block this updateStatic evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"high"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"high"}'Why flagged
What the scanner saw
New Account With Lifecycle Hook: package first published 0 day(s) ago, 1 total version(s), has lifecycle hook
1 candidate cluster(s) currently reference this release.
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk high · score 73 · status changed
Related candidates
Linked campaigns and clusters
gagesgr
10 members · evidence strength 69gagesgr
10 members · max score 73Evidence
Static findings
11 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | New Account With Lifecycle Hook | package.json | package first published 0 day(s) ago, 1 total version(s), has lifecycle hook | 25 |
| medium | Remote Payload | package/dist/features/auto-update.js | matched "raw.githubusercontent.com" | 12 |
| medium | Remote Payload | package/dist/hooks/session-end/callbacks.js | matched "api.telegram.org/bot" | 12 |
| medium | Remote Payload | package/skills/project-session-manager/lib/providers/bitbucket.sh | matched "curl " | 12 |
| medium | Remote Payload | package/skills/project-session-manager/lib/providers/gitea.sh | matched "curl " | 12 |
Show all 11 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | New Account With Lifecycle Hook | package.json | package first published 0 day(s) ago, 1 total version(s), has lifecycle hook | 25 |
| medium | Remote Payload | package/dist/features/auto-update.js | matched "raw.githubusercontent.com" | 12 |
| medium | Remote Payload | package/dist/hooks/session-end/callbacks.js | matched "api.telegram.org/bot" | 12 |
| medium | Remote Payload | package/skills/project-session-manager/lib/providers/bitbucket.sh | matched "curl " | 12 |
| medium | Remote Payload | package/skills/project-session-manager/lib/providers/gitea.sh | matched "curl " | 12 |
| low | Credential file access | package/bridge/team-bridge.cjs | matched ".ssh/" | 5 |
| low | Messenger Bot Endpoint | package/dist/hooks/session-end/callbacks.js | matched "api.telegram.org/bot" — messenger-bot URL without exfil context (likely a notification handler) | 5 |
| low | Credential file access | package/dist/team/permissions.js | matched ".ssh/" | 5 |
| low | Credential file access | package/skills/project-session-manager/lib/providers/azure-devops.sh | matched ".azure\\" | 5 |
| low | Install-time lifecycle script | package.json | postinstall="node .prepare.cjs" | 5 |
| low | Large Javascript Payload | package/bridge/cli.cjs | 3045614 bytes | 0 |
Manifest
Package metadata
Scripts27
bench:promptstsx benchmarks/run-all.tsbench:prompts:comparetsx benchmarks/run-all.ts --comparebench:prompts:savetsx benchmarks/run-all.ts --save-baselinebuildtsc && node scripts/build-skill-bridge.mjs && node scripts/build-mcp-server.mjs && node scripts/build-bridge-entry.mjs && npm run compose-docs && npm run build:runtime-cli && npm run build:team-server && npm run build:clibuild:bridgenode scripts/build-skill-bridge.mjsbuild:bridge-entrynode scripts/build-bridge-entry.mjsbuild:clinode scripts/build-cli.mjsbuild:runtime-clinode scripts/build-runtime-cli.mjsbuild:team-servernode scripts/build-team-server.mjscompose-docsnode scripts/compose-docs.mjsdevtsc --watchformatprettier --write src/**/*.tslinteslint srcpostinstallnode .prepare.cjsreleasetsx scripts/release.tsstartnode dist/index.jssync-featured-contributorstsx scripts/generate-featured-contributors.tssync-featured-contributors:dry-runtsx scripts/generate-featured-contributors.ts --dry-runsync-featured-contributors:verifytsx scripts/generate-featured-contributors.ts --verifysync-metadatatsx scripts/sync-metadata.tssync-metadata:dry-runtsx scripts/sync-metadata.ts --dry-runsync-metadata:verifytsx scripts/sync-metadata.ts --verifytestvitesttest:coveragevitest run --coveragetest:runvitest runtest:uivitest --uiversionbash scripts/sync-version.sh
Dependencies12
@anthropic-ai/claude-agent-sdk^0.1.0@ast-grep/napi^0.31.0@modelcontextprotocol/sdk^1.26.0@types/better-sqlite3^7.6.13ajv^8.17.1better-sqlite3^12.6.2chalk^5.3.0commander^12.1.0jsonc-parser^3.3.1safe-regex^2.1.1vscode-languageserver-protocol^3.17.5zod^3.23.8