Package evidence
[email protected]
New Account With Lifecycle Hook: package first published 1 day(s) ago, 4 total version(s), has lifecycle hook
Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Versions published
- 4
- First published
- Jun 2026
- Publisher
- haimdx
Recommended action
Block this updateStatic evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"high"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"high"}'Why flagged
What the scanner saw
New Account With Lifecycle Hook: package first published 1 day(s) ago, 4 total version(s), has lifecycle hook
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk high · score 15 · status changed
Evidence
Static findings
4 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | New Account With Lifecycle Hook | package.json | package first published 1 day(s) ago, 4 total version(s), has lifecycle hook | 25 |
| medium | Suspicious Publish Context | manifest | {"package_age_days":1,"publisher":"haimdx","burst_same_day":3,"burst_week":3,"lure":null,"version_anomaly":false,"new_account":false} | 10 |
Show all 4 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | New Account With Lifecycle Hook | package.json | package first published 1 day(s) ago, 4 total version(s), has lifecycle hook | 25 |
| medium | Suspicious Publish Context | manifest | {"package_age_days":1,"publisher":"haimdx","burst_same_day":3,"burst_week":3,"lure":null,"version_anomaly":false,"new_account":false} | 10 |
| low | Install-time lifecycle script | package.json | postinstall="npm run sequelize:migrate" | 5 |
| low | Large Javascript Payload | package/lib/public/dashboard/static/js/2.f7672eec.chunk.js | 3802190 bytes | 0 |
Manifest
Package metadata
Scripts35
appium-homerm -rf rm -rf /tmp/tractive-device-farm && export APPIUM_HOME=/tmp/tractive-device-farmbuildnpx tsc -b && npm run copy-filesbuild:docsappium-docs build --reference=falsebuildAndCopyWebsh buildAndCopyWeb.shclear-cacherm -rf $HOME/.cache/appium-device-farmcopy-filescp -R src/public libcoveragenyc npm run testinstall-docs-depsappium-docs init --no-mkdocs -e lib/index.jsinstall-driver-androidexport APPIUM_HOME=/tmp/tractive-device-farm && appium driver install [email protected]install-driver-iosexport APPIUM_HOME=/tmp/tractive-device-farm && appium driver install [email protected]install-pluginnpm run build && appium plugin install --source=local $(pwd)integration-androidmocha -r ts-node/register ./test/integration/androidDevices.spec.js --timeout 90000 --exitintegration-iosmocha -r ts-node/register ./test/integration/*iOS*.spec.js --timeout 260000 --exitlinteslint . --ext .ts,.tsx --fixpostinstallnpm run sequelize:migrateprepublishnpx tsc && npm run copy-filesprettierprettier 'src/**/*.ts' 'web/**/*.ts' 'web/**/*.tsx' --write --single-quotepublish:docsappium-docs build --deploy --push -b docs-site -m 'docs: auto-build docs for appium-device-farm@%s' --alias latestreinstall-pluginexport APPIUM_HOME=/tmp/tractive-device-farm && npm run appium-home && (appium plugin uninstall device-farm || exit 0) && npm run install-pluginreleasebash publish.shrun-serverexport APPIUM_HOME=/tmp/tractive-device-farm && appium plugin list --installed && appium server -ka 800 --log-timestamp --use-plugins=tractive-device-farm -pa /wd/hub --plugin-tractive-device-farm-platform=both --plugin-tractive-device-farm-authsequelize:migratesequelize-cli db:migratesequelize:migrate:undosequelize-cli db:migrate:undotestmocha -r ts-node/register ./test/unit/*.spec.js --plugin-device-farm-platform=both --exit --timeout=10000test-e2ewait-on http://localhost:31337/device-farm/ && mocha --require ts-node/register ./test/e2e/plugin.spec.js --timeout 999999test-e2e-browserstackwait-on http://localhost:31337/device-farm/ && mocha --require ts-node/register ./test/e2e/browserstack.spec.js --timeout 999999test-e2e-pCloudywait-on http://localhost:31337/device-farm/ && mocha --require ts-node/register ./test/e2e/pcloudy.spec.js --timeout 999999test-jestNODE_OPTIONS=--experimental-vm-modules npx jest ./test/unit/AndroidDeviceManager.spec.jstest-parallel-androidmocha --require ts-node/register -p ./test/e2e/android/conf.spec.js --timeout 260000test-parallel-bswait-on http://localhost:31337/device-farm/ && mocha --require ts-node/register -p ./test/e2e/android/cloud/conf.spec.js --timeout 260000- …and 5 more.
Dependencies64
@appium/base-plugin^2.2.22@appium/types^0.14.1@devicefarmer/adbkit^3.2.5@ffmpeg-installer/ffmpeg^1.1.0@types/multer^2.1.0@types/node-persist^3.1.5app-info-parser^1.1.6appium-adb^11.0.3appium-base-driver^7.11.3appium-chromedriver^5.6.19appium-ios-device^2.7.6appium-ios-simulator^4.2.1appium-remote-debugger^9.0.0async-lock^1.2.8async-wait-until^2.0.12asyncbox^3.0.0axios^0.27.2bcryptjs^3.0.3better-sqlite3^11.10.0bluebird^3.7.2body-parser^2.3.0bplist-parser^0.3.2chrome-remote-interface^0.34.0circular-json^0.5.9cors^2.8.5debug^4.4.3download^8.0.0express^4.17.3fs-extra^11.1.1get-port^5.1.1- …and 34 more.