npm · registry.npmjs.org

boardstep

Install Lifecycle Repeated Payload: preinstall,install,postinstall="node install.js"

Early detection

PkgRadar flagged this 2h before public disclosure

Detected 2026-06-15 · disclosed as MAL-2026-5800 on 2026-06-15

Why PkgRadar flagged 1.1.0

Severity	Signal	Evidence
high	Install Lifecycle Repeated Payload	preinstall,install,postinstall="node install.js" · package.json
medium	New Account With Lifecycle Hook	package first published 0 day(s) ago, 6 total version(s), has lifecycle hook · package.json
medium	Suspicious Publish Context	{"package_age_days":0,"publisher":"sfhbdrffthger","burst_same_day":1,"burst_week":1,"lure":null,"version_anomaly":false,"new_account":true}

Scanned versions

Version	Verdict	Score	Scanned (UTC)
`1.1.4`	Review	15	2026-06-15
`1.1.3`	Review	15	2026-06-15
`1.1.2`	Review	15	2026-06-15
`1.1.0`	High risk	50	2026-06-15
`1.0.9`	High risk	50	2026-06-15
`1.0.7`	High risk	50	2026-06-15
`1.0.5`	High risk	50	2026-06-15
`1.0.1`	High risk	50	2026-06-15
`1.0.0`	High risk	50	2026-06-15

Block this in CI

PkgRadar gates boardstep (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem npm [email protected]