Repeated static TTPpy_runtime_base64_decode:base64/hex decode combined with exec/subprocess — classic obfuscated payload pattern.
1364releases
99%evidence strength
Research and detection
Package attack leads from static evidence.
PkgRadar turns fresh registry releases into research objects: package evidence, publisher posture, repeated TTPs, candidate clusters, and CI gate decisions.
Current leads
Unconfirmed candidates worth investigating
Repeated static TTPpy_import_time_network_call:network call (urllib/requests/httpx/http.client) at install or import time.
582releases
99%evidence strength
Repeated static TTPpy_runtime_dynamic_dangerous_import:dynamic __import__('os') — reflection bypass for static checks.
505releases
99%evidence strength
Repeated static TTPwebhook_exfil_endpoint:matched "ngrok-free.app"
376releases
99%evidence strength
Repeated static TTPwebhook_exfil_endpoint:matched "api.telegram.org/bot"
344releases
99%evidence strength
Repeated static TTPinstall_lifecycle_remote_or_exec:postinstall="node scripts/postinstall.js"
295releases
99%evidence strength
Release evidence
Highest-signal packages
github.com/rudderlabs/[email protected]Static review signal
3score
Reviewunknown
github.com/tavocg/[email protected]Static review signal
0score
Low riskunknown
github.com/ai-2070/[email protected]Static review signal
0score
Low riskunknown
github.com/kabir2123/[email protected]Static review signal
0score
Low riskunknown
github.com/rudderlabs/rudder-transformer/[email protected]Static review signal
0score
Low riskunknown
Campaign mechanics
How these candidate payloads tend to work
These are not attribution claims. They are field notes from static artifacts: what behavior the package appears to be preparing for, why that behavior matters, and how the evidence becomes a CI decision without running the package.
Payload pattern
Credential access without executing the package
144linked releases
The repeated behavior is not a generic bad smell. The package text references names and paths that are normally valuable only when code is trying to find developer, registry, CI, SSH, or cloud credentials.
ArtifactCredential token/pathStatic findingCross-release clusterCI block
What the scanner sees
- The artifact is unpacked as data and scanned for credential-oriented paths and environment names.
- Hits such as .ssh, .aws, .azure, .npmrc, NPM_TOKEN, and GITHUB_TOKEN are grouped across releases.
- A single mention is treated as package evidence; repeated hits across packages become campaign evidence.
Research read
This is the pattern I would expect from a credential-harvesting payload before it phones home. The important part is the search target, not the language used to implement it.
Operational response
Block by default, inspect the exact files, and rotate matching secrets if the package reached a developer or CI host.
Repeated static TTPcredential_paths:matched ".npmrc"144 releases · max score 360
Campaign shape
Publisher burst as a compromise lead, not an accusation
3linked releases
When multiple high-risk releases appear under the same publisher identity or release channel, the signal changes from isolated package triage to account or automation-path triage.
Publisher identityMultiple risky releasesGrowth eventCandidate recordMaintainer review
What the scanner sees
- PkgRadar counts high-risk releases tied to the publisher key and tracks member growth over time.
- The campaign record is promoted when expansion or score increases create a durable candidate.
- Package examples remain linked so the analyst can distinguish legitimate release trains from suspicious bursts.
Research read
The publisher key is a lead, not a verdict. The useful question is whether a trusted release path suddenly started shipping behavior that previous releases did not.
Operational response
Review recent releases together, compare to normal cadence, and require maintainer confirmation before relaxing CI policy.
Publisher / release actor burstNous Research3 releases · max score 360
Payload surface
Install-time execution is where static evidence becomes urgent
295linked releases
Install, postinstall, prepare, and preinstall scripts deserve a different severity model because they can run before application code ever imports the package.
package.jsonLifecycle hookInterpreter/fetch/suppressionRisk scorePolicy gate
What the scanner sees
- Manifest scripts are parsed without invoking npm, node, shell, or package manager hooks.
- Commands that invoke interpreters, fetch remote content, or suppress failures are separated into explicit TTPs.
- Repeated install-time behavior across packages becomes a candidate even when the exact script text differs.
Research read
The dangerous property is execution timing. If a package can run during dependency installation, the blast radius includes developer laptops, CI workers, and release automation.
Operational response
Gate install hooks, require manual approval for new lifecycle scripts, and prefer lockfile or mirror enforcement.
Repeated static TTPinstall_lifecycle_remote_or_exec:postinstall="node scripts/postinstall.js"295 releases · max score 357
Exfil lead
DNS and OAST indicators point to low-friction data movement
53linked releases
DNS and OAST-style primitives matter because they can move small secrets or host fingerprints through infrastructure that defenders often do not monitor like HTTP egress.
Source textDNS/OAST primitiveStatic exfil leadTTP correlationIncident review
What the scanner sees
- The scanner looks for DNS resolver usage and known out-of-band interaction domains in source text and manifest scripts.
- The evidence is stored as a static indicator; PkgRadar does not resolve domains or execute callbacks.
- Repeated resolver or OAST indicators across packages are grouped as an exfiltration candidate.
Research read
This is not proof of theft by itself, but it is exactly the sort of primitive I would prioritize when combined with credential discovery or install-time execution.
Operational response
Block the release, inspect for adjacent credential collection, and review egress logs if the package was installed.
Repeated static TTPdns_or_oast_exfil:matched "burpcollaborator.net"53 releases · max score 270
Supply-chain pivot
Remote dependency specs move trust outside the registry
49linked releases
A dependency that resolves from a URL or repository commit can bypass the review assumptions teams make around normal registry versions.
Manifest dependencyRemote specBounded fetchStatic unpackTrust decision
What the scanner sees
- The manifest is parsed as JSON and dependency fields are checked for remote specs.
- Remote artifacts can be followed statically within bounded fetch limits.
- The remote target becomes correlation evidence when multiple packages point at the same infrastructure.
Research read
This is often legitimate in development packages, but it is a weak link in production dependency policy because the trust anchor has moved.
Operational response
Pin, mirror, or block remote dependency specs until the target repository and commit are reviewed.
Repeated static TTPremote_dependency_spec:dependencies.xlsx="https://cdn.sheetjs.com/xlsx-0.20.3/xlsx-0.20.3.tgz"49 releases · max score 52
Research notes
Current writeups for analysts and maintainers
May 23, 2026
NPM remote dependency clusters observed in static scans
Shared remote tarball dependencies and repeated URL evidence are treated as candidate infrastructure until package context confirms intent.
Compare candidate members, package scores, and whether the remote artifact was fetched and unpacked statically.May 23, 2026
Publisher burst detection without assuming maintainer guilt
A publisher with multiple high-risk releases is a triage lead, not a verdict. PkgRadar weighs the burst alongside script, credential, CI, and remote artifact evidence.
Review publisher posture, recent release history, and whether the risky behavior is new versus prior versions.May 23, 2026
Static-only package triage model
Package artifacts are hostile data. The scanner hashes, bounds, unpacks, parses, diffs, and optionally fetches remote tarball artifacts without installing packages.
Use the package page to inspect the exact files, manifest deltas, and evidence that would drive a CI gate decision.Detection lanes
What the engine is trying to prove
Detection lane
Candidate correlation
Single package alerts are weak. Shared payload URLs, payload hashes, publisher bursts, and repeated high-severity TTP details are stronger evidence.
- Shared infrastructure
- Repeated TTP detail
- Publisher release bursts
Detection lane
Maintainer compromise
The important signal is a behavior change in a trusted release path: new install hooks, credential discovery, CI token access, or remote dependency pivots.
- New lifecycle scripts
- Credential path references
- CI or registry token access
Detection lane
Static artifact triage
Package artifacts are hostile data. PkgRadar hashes, unpacks, bounds, parses, and diffs them without invoking package managers or package code.
- Manifest diff
- Bounded text scanning
- Remote tarball dependency review
Promotion criteria
Candidates stay labeled until evidence converges.
PkgRadar publishes static candidates quickly, then promotes them when repeated evidence, lifecycle events, and independent signal families support a stronger campaign record.
Backfill recent npm changes on first runScan artifacts statically onlyPromote repeated signals into candidatesExpose package and publisher rationale