npm · registry.npmjs.org

hellyeah

Remote Payload: matched "curl\n"

Why PkgRadar flagged 1.1.0-beta.4

Severity	Signal	Evidence
high	New Lifecycle Script Vs Previous	postinstall added in 1.1.0-beta.4 vs 1.1.0-beta.3: "node bin/postinstall.js" · package.json
medium	Remote Payload	matched "curl\n" · package/install.sh

Scanned versions

Version	Verdict	Score	Scanned (UTC)
`1.2.0-beta.1`	Review	5	2026-06-15
`1.1.0`	Review	5	2026-06-12
`1.1.0-beta.4`	High risk	57	2026-06-12
`1.1.0-beta.3`	Review	3	2026-06-12
`1.1.0-beta.2`	Review	3	2026-06-12
`1.1.0-beta.1`	Review	3	2026-06-10
`1.0.0-beta.10`	Review	3	2026-06-03
`1.0.0`	Review	3	2026-06-03
`1.0.0-beta.9`	Review	3	2026-06-03
`1.0.0-beta.8`	Review	3	2026-06-03
`1.0.0-beta.7`	Low risk	0	2026-06-03
`0.0.3-bootstrap`	Low risk	0	2026-06-02
`1.0.0-beta.6`	Low risk	0	2026-06-01
`1.0.0-beta.5`	Low risk	0	2026-06-01

Campaign attribution

Block this in CI

PkgRadar gates hellyeah (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem npm [email protected]