meta-ads

The postinstall will run npm install inside scripts/, which can trigger arbitrary lifecycle scripts from that subpackage and its dependencies. This is a security risk because it enables untrusted code execution and broadens supply-chain attack surface. You should inspect scripts/package.json and all files in scripts/ (and their dependency specifiers) before installing, avoid running as privileged user, and consider using npm-ci or offline registries or lockfiles to reduce risk.