PkgRadar

Package evidence

[email protected]

Install Lifecycle Suppresses Failure: postinstall="node bin/postinstall.js || true"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
411
Versions published
83
First published
Apr 2026
Publisher
igorganapolsky

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"high"}'
Publisherigorganapolsky
Artifact bytes1,299,009
Previous version1.27.6
Published2026-06-16T20:33:32.001Z
SHA-2561b3b01293da0f337ca90c428de0556be7719dc3fd42dd28c2be583ff837941b9

Why flagged

What the scanner saw

Install Lifecycle Suppresses Failure: postinstall="node bin/postinstall.js || true"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

high
Last checked
highRisk
28Score
1.27.7Version
Status history (1 event)
  1. newavailable · risk high · score 28 · status changed

Evidence

Static findings

3 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
highInstall Lifecycle Suppresses Failurepackage.jsonpostinstall="node bin/postinstall.js || true"20
Show all 3 findings (low-signal and informational)
SeverityKindPathDetailPoints
highInstall Lifecycle Suppresses Failurepackage.jsonpostinstall="node bin/postinstall.js || true"20
lowInstall-time lifecycle scriptpackage.jsonpostinstall="node bin/postinstall.js || true"5
lowCredential file accesspackage/config/evals/agent-safety-eval.jsonmatched "AWS_ACCESS_KEY"3

Manifest

Package metadata

Scripts468
  • adk:consolidatenode scripts/adk-consolidator.js
  • adk:watchnode scripts/adk-consolidator.js --watch
  • agent:runnode scripts/managed-lesson-agent.js
  • agent:run:drynode scripts/managed-lesson-agent.js --dry-run
  • agent:schedulenode scripts/schedule-manager.js install --label managed-lesson-agent --spec 'daily 02:00' --command 'npm run agent:run' --workingDirectory .
  • audit:statsnode scripts/audit-trail.js --stats
  • branch-protection:checknode scripts/sync-branch-protection.js --check
  • branch-protection:syncnode scripts/sync-branch-protection.js
  • budget:statusnode scripts/budget-guard.js --status
  • build:claude-mcpbnode scripts/build-claude-mcpb.js
  • build:claude-review-zipnode scripts/build-claude-mcpb.js --review-zip
  • build:codex-pluginnode scripts/build-codex-plugin.js
  • build:grok-pluginnode scripts/build-grok-plugin.js
  • build:vscode-extensioncd plugins/vscode-extension && npx --yes @vscode/vsce package
  • cfo:reportnode bin/cli.js cfo
  • changesetchangeset
  • changeset:checknode scripts/changeset-check.js
  • changeset:statuschangeset status
  • changeset:versionchangeset version && node scripts/sync-version.js
  • creator:linksnode scripts/creator-campaigns.js
  • credentials:plannode scripts/single-use-credential-gate.js plan
  • credentials:plan:jsonnode scripts/single-use-credential-gate.js json
  • demo:narrationnode scripts/render-demo-video/generate-narration.js
  • demo:rendernode scripts/render-demo-video/render.js
  • demo:render:fullnpm run demo:narration && npm run demo:render
  • deploy:policynode scripts/deploy-policy.js
  • eval:async-observabilitynode scripts/async-eval-observability.js
  • eval:classifierpython3 scripts/eval_gate_classifier.py
  • eval:feedbacknode scripts/prompt-eval.js --from-feedback
  • eval:feedback-qualitypython3 scripts/feedback_quality_eval.py
  • …and 438 more.
Dependencies10
  • @anthropic-ai/sdk0.102.0
  • @google/genai2.7.0
  • @huggingface/transformers^4.2.0
  • @lancedb/lancedb^0.30.0
  • apache-arrow^18.1.0
  • better-sqlite3^12.9.0
  • dotenv^17.4.2
  • playwright-core^1.59.1
  • protobufjs^8.5.0
  • stripe^22.2.0