The package has an install-time downloader for a Frida iOS gadget dylib. Source inspection shows package-aligned binary fetching and local package-directory writes, but no confirmed malicious behavior.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs package.json install script
Impact
Installs the expected Frida Gadget iOS dylib for later user-directed use; no exfiltration or unauthorized system mutation observed
Mechanism
download and decompress package-owned native dylib
Rationale
The suspicious install hook is explained by the package's purpose: it fetches the versioned Frida Gadget binary from the upstream Frida release and stores it in the package directory. No source evidence shows credential theft, remote code execution beyond the expected native artifact download, persistence, destructive behavior, or AI-agent control-surface mutation.
Evidence
package.jsondownload.jsindex.jsindex.d.tsfrida-gadget-17.15.4-ios-universal.dylib.downloadfrida-gadget-17.15.4-ios-universal.dylib
Network endpoints1
github.com/frida/frida/releases/download/${gadget.version}/frida-gadget-${gadget.version}-ios-universal.dylib.gz