PkgRadar

npm · registry.npmjs.org

hbsig

Install Lifecycle Binary Exec: preinstall="./bin/install-deps"

Early detection

PkgRadar flagged this 1.6 days before public disclosure

Detected 2026-06-03 · disclosed as MAL-2026-5190 on 2026-06-04

Why PkgRadar flagged 0.3.2

SeveritySignalEvidence
highNew Lifecycle Script Vs Previouspreinstall added in 0.3.2 vs 0.3.1: "./bin/install-deps" · package.json
mediumInstall Lifecycle Binary Execpreinstall="./bin/install-deps" · package.json

Scanned versions

VersionVerdictScoreScanned (UTC)
0.3.2High risk602026-06-10
0.3.3Low risk02026-05-27
0.3.0Low risk02026-05-25
0.3.1Low risk02026-05-25

Block this in CI

PkgRadar gates hbsig (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem npm [email protected]
Start free — 25 scans / moView full evidence