PkgRadar

npm · registry.npmjs.org

goreleaser-run

Remote Payload: matched "github.com/goreleaser/goreleaser/releases/download"

Early detection

PkgRadar flagged this 12.5 days before public disclosure

Detected 2026-05-30 · disclosed as MAL-2026-5641 on 2026-06-11

Why PkgRadar flagged 2.16.1

SeveritySignalEvidence
mediumRemote Payloadmatched "github.com/goreleaser/goreleaser/releases/download" · package/bin/goreleaser.js

Scanned versions

VersionVerdictScoreScanned (UTC)
2.16.1Review122026-05-30
2.16.0Review392026-05-30

Block this in CI

PkgRadar gates goreleaser-run (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem npm [email protected]
Start free — 25 scans / moView full evidence