Install runs a downloader that retrieves a native iOS Frida Gadget library from a package-aligned release URL. It replaces old matching dylibs only inside its own package directory; no malicious control surface is established.
Static reason
One or more suspicious static signals were detected.
Impact
Installs the advertised native instrumentation artifact; no exfiltration, remote code execution chain beyond the intended artifact download, or persistence was found.
Mechanism
HTTPS download, gzip extraction, and package-local dylib replacement
Rationale
The install hook performs the package's stated function: download and expose the version-pinned iOS Frida Gadget binary. Source inspection found no credential theft, broad filesystem mutation, stealth persistence, agent-control mutation, or unrelated execution behavior.
Evidence
package.jsondownload.jsindex.jsindex.d.tsfrida-gadget-17.15.5-ios-universal.dylibfrida-gadget-17.15.5-ios-universal.dylib.download
Network endpoints1
github.com/frida/frida/releases/download/17.15.5/frida-gadget-17.15.5-ios-universal.dylib.gz