npm · registry.npmjs.org
kelly-stake
New Account With Lifecycle Hook, Install-time lifecycle script, Suspicious Publish Context
Early detection
PkgRadar flagged this 4h before public disclosure
Detected 2026-06-25 · disclosed as MAL-2026-6482 on 2026-06-25
Why PkgRadar flagged 3.5.6
| Severity | Signal | Evidence |
|---|---|---|
| medium | New Account With Lifecycle Hook | — |
| medium | Suspicious Publish Context | — |
Scanned versions
| Version | Verdict | Score | Scanned (UTC) |
|---|---|---|---|
4.1.0 | Review | 13 | 2026-07-01 |
3.5.6 | High risk | 13 | 2026-07-01 |
3.5.5 | Review | 15 | 2026-06-25 |
3.5.4 | Review | 15 | 2026-06-25 |
3.5.3 | High risk | 15 | 2026-06-25 |
3.1.0 | Review | 10 | 2026-06-25 |
3.3.0 | Review | 10 | 2026-06-25 |
3.2.0 | Review | 10 | 2026-06-25 |
3.5.2 | High risk | 55 | 2026-06-25 |
Block this in CI
pkgradar gate --ecosystem npm [email protected]