PkgRadar

npm · registry.npmjs.org

kelly-stake

New Account With Lifecycle Hook, Install-time lifecycle script, Suspicious Publish Context

Early detection

PkgRadar flagged this 4h before public disclosure

Detected 2026-06-25 · disclosed as MAL-2026-6482 on 2026-06-25

Why PkgRadar flagged 3.5.6

SeveritySignalEvidence
mediumNew Account With Lifecycle Hook
mediumSuspicious Publish Context

Showing signal labels only. Sign in to view the exact matched indicators for each finding.

Scanned versions

VersionVerdictScoreScanned (UTC)
4.1.0Review132026-07-01
3.5.6High risk132026-07-01
3.5.5Review152026-06-25
3.5.4Review152026-06-25
3.5.3High risk152026-06-25
3.1.0Review102026-06-25
3.3.0Review102026-06-25
3.2.0Review102026-06-25
3.5.2High risk552026-06-25

Block this in CI

PkgRadar gates kelly-stake (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem npm [email protected]
kelly-stake — npm malware advisory | PkgRadar