PkgRadar

Research and detection

Package attack leads from static evidence.

PkgRadar turns fresh registry releases into research objects: package evidence, publisher posture, repeated TTPs, candidate clusters, and CI gate decisions.

Current leads

Unconfirmed candidates worth investigating

Open candidates
Publisher / release actor burstGitHub Actions
6003releases
99%evidence strength
Repeated static TTPjs_hidden_powershell:hidden / non-interactive powershell invocation in package code — `-windowstyle hidden`, `irm | iex`, `windowshide: true`, or equivalent — used to download-and-run payloads on windows installers.
5216releases
99%evidence strength
Repeated static TTPjs_remote_npm_install:shell-exec of `npm install` with a global flag, a url, or a concatenated (dynamic) target — installs a remote/attacker-controlled package at runtime (self-updating dropper / remote payload).
3843releases
99%evidence strength
Repeated static TTPjs_remote_exe_exec:downloads a windows executable (.exe/.msi/.scr/.dll/script) from a url and runs it via child_process — remote-payload dropper.
3720releases
99%evidence strength
Repeated static TTPnative_binary_main_entry:main/bin entry points to a compiled binary: bin entry
2813releases
99%evidence strength
Repeated static TTPnew_account_with_lifecycle_hook:package first published 0 day(s) ago, 1 total version(s), has lifecycle hook
1832releases
99%evidence strength

Release evidence

Highest-signal packages

Recent feed

Campaign mechanics

How these candidate payloads tend to work

These are not attribution claims. They are field notes from static artifacts: what behavior the package appears to be preparing for, why that behavior matters, and how the evidence becomes a CI decision without running the package.

Payload pattern

Credential access without executing the package

372linked releases

The repeated behavior is not a generic bad smell. The package text references names and paths that are normally valuable only when code is trying to find developer, registry, CI, SSH, or cloud credentials.

ArtifactCredential token/pathStatic findingCross-release clusterCI block

What the scanner sees

  • The artifact is unpacked as data and scanned for credential-oriented paths and environment names.
  • Hits such as .ssh, .aws, .azure, .npmrc, NPM_TOKEN, and GITHUB_TOKEN are grouped across releases.
  • A single mention is treated as package evidence; repeated hits across packages become campaign evidence.

Research read

This is the pattern I would expect from a credential-harvesting payload before it phones home. The important part is the search target, not the language used to implement it.

Operational response

Block by default, inspect the exact files, and rotate matching secrets if the package reached a developer or CI host.

Campaign shape

Publisher burst as a compromise lead, not an accusation

4linked releases

When multiple high-risk releases appear under the same publisher identity or release channel, the signal changes from isolated package triage to account or automation-path triage.

Publisher identityMultiple risky releasesGrowth eventCandidate recordMaintainer review

What the scanner sees

  • PkgRadar counts high-risk releases tied to the publisher key and tracks member growth over time.
  • The campaign record is promoted when expansion or score increases create a durable candidate.
  • Package examples remain linked so the analyst can distinguish legitimate release trains from suspicious bursts.

Research read

The publisher key is a lead, not a verdict. The useful question is whether a trusted release path suddenly started shipping behavior that previous releases did not.

Operational response

Review recent releases together, compare to normal cadence, and require maintainer confirmation before relaxing CI policy.

Payload surface

Install-time execution is where static evidence becomes urgent

622linked releases

Install, postinstall, prepare, and preinstall scripts deserve a different severity model because they can run before application code ever imports the package.

package.jsonLifecycle hookInterpreter/fetch/suppressionRisk scorePolicy gate

What the scanner sees

  • Manifest scripts are parsed without invoking npm, node, shell, or package manager hooks.
  • Commands that invoke interpreters, fetch remote content, or suppress failures are separated into explicit TTPs.
  • Repeated install-time behavior across packages becomes a candidate even when the exact script text differs.

Research read

The dangerous property is execution timing. If a package can run during dependency installation, the blast radius includes developer laptops, CI workers, and release automation.

Operational response

Gate install hooks, require manual approval for new lifecycle scripts, and prefer lockfile or mirror enforcement.

Repeated static TTPinstall_lifecycle_suppresses_failure:postinstall="node dist/postinstall.js || true"622 releases · max score 205

Exfil lead

DNS and OAST indicators point to low-friction data movement

242linked releases

DNS and OAST-style primitives matter because they can move small secrets or host fingerprints through infrastructure that defenders often do not monitor like HTTP egress.

Source textDNS/OAST primitiveStatic exfil leadTTP correlationIncident review

What the scanner sees

  • The scanner looks for DNS resolver usage and known out-of-band interaction domains in source text and manifest scripts.
  • The evidence is stored as a static indicator; PkgRadar does not resolve domains or execute callbacks.
  • Repeated resolver or OAST indicators across packages are grouped as an exfiltration candidate.

Research read

This is not proof of theft by itself, but it is exactly the sort of primitive I would prioritize when combined with credential discovery or install-time execution.

Operational response

Block the release, inspect for adjacent credential collection, and review egress logs if the package was installed.

Repeated static TTPdns_or_oast_exfil242 releases · max score 496

Supply-chain pivot

Remote dependency specs move trust outside the registry

WatchingNo active record

A dependency that resolves from a URL or repository commit can bypass the review assumptions teams make around normal registry versions.

Manifest dependencyRemote specBounded fetchStatic unpackTrust decision

What the scanner sees

  • The manifest is parsed as JSON and dependency fields are checked for remote specs.
  • Remote artifacts can be followed statically within bounded fetch limits.
  • The remote target becomes correlation evidence when multiple packages point at the same infrastructure.

Research read

This is often legitimate in development packages, but it is a weak link in production dependency policy because the trust anchor has moved.

Operational response

Pin, mirror, or block remote dependency specs until the target repository and commit are reviewed.

Campaign reports

In-depth incident writeups

Campaign report · 2026-05-26

36 packages in one burst: the asteroiddao npm campaign

On May 26 at 01:05 UTC, PkgRadar flagged 22 high-risk packages from npm publisher asteroiddao within two minutes of first seeing them — 6 minutes after OSV advisories appeared. A detailed look at what the static scanner found: lifecycle diffs, binary exec hooks, failure suppression, and a publisher burst signal.

Read the full report →

Research notes

Current writeups for analysts and maintainers

May 23, 2026

NPM remote dependency clusters observed in static scans

Shared remote tarball dependencies and repeated URL evidence are treated as candidate infrastructure until package context confirms intent.

Compare candidate members, package scores, and whether the remote artifact was fetched and unpacked statically.

May 23, 2026

Publisher burst detection without assuming maintainer guilt

A publisher with multiple high-risk releases is a triage lead, not a verdict. PkgRadar weighs the burst alongside script, credential, CI, and remote artifact evidence.

Review publisher posture, recent release history, and whether the risky behavior is new versus prior versions.

May 23, 2026

Static-only package triage model

Package artifacts are hostile data. The scanner hashes, bounds, unpacks, parses, diffs, and optionally fetches remote tarball artifacts without installing packages.

Use the package page to inspect the exact files, manifest deltas, and evidence that would drive a CI gate decision.

Detection lanes

What the engine is trying to prove

Detection lane

Candidate correlation

Single package alerts are weak. Shared payload URLs, payload hashes, publisher bursts, and repeated high-severity TTP details are stronger evidence.

  • Shared infrastructure
  • Repeated TTP detail
  • Publisher release bursts
Candidate cluster records and package drilldowns

Detection lane

Maintainer compromise

The important signal is a behavior change in a trusted release path: new install hooks, credential discovery, CI token access, or remote dependency pivots.

  • New lifecycle scripts
  • Credential path references
  • CI or registry token access
Publisher posture pages and high-signal release queues

Detection lane

Static artifact triage

Package artifacts are hostile data. PkgRadar hashes, unpacks, bounds, parses, and diffs them without invoking package managers or package code.

  • Manifest diff
  • Bounded text scanning
  • Remote tarball dependency review
Deterministic allow, review, or block evidence

Promotion criteria

Candidates stay labeled until evidence converges.

PkgRadar publishes static candidates quickly, then promotes them when repeated evidence, lifecycle events, and independent signal families support a stronger campaign record.

Backfill recent npm changes on first runScan artifacts statically onlyPromote repeated signals into candidatesExpose package and publisher rationale