npm · registry.npmjs.org

bluelamp

Remote Payload: matched "curl "

Why PkgRadar flagged 3.0.6

Severity	Signal	Evidence
high	New Lifecycle Script Vs Previous	postinstall added in 3.0.6 vs 3.0.5: "node scripts/setup-agents.js && node scripts/generate-bluelamp-links.js" · package.json
medium	Remote Payload	matched "curl " · package/knowledge-injection/hooks/inject-encrypted.sh

Scanned versions

Version	Verdict	Score	Scanned (UTC)
`6.4.10`	Low risk	0	2026-06-17
`6.4.9`	Low risk	0	2026-06-13
`6.4.8`	Low risk	0	2026-06-13
`4.3.4`	Review	3	2026-06-12
`6.4.7`	Low risk	0	2026-06-12
`6.4.6`	Low risk	0	2026-06-12
`3.0.7`	Review	11	2026-06-12
`3.0.6`	High risk	57	2026-06-12
`3.0.9`	High risk	57	2026-06-12
`6.4.5`	Low risk	0	2026-06-12
`6.4.4`	Low risk	0	2026-06-03
`6.4.3`	Low risk	0	2026-06-02
`6.4.2`	Low risk	0	2026-05-30
`6.4.0`	Review	3	2026-05-30
`6.4.1`	Review	3	2026-05-30

Campaign attribution

Block this in CI

PkgRadar gates bluelamp (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem npm [email protected]