PkgRadar

npm · registry.npmjs.org

stream-read-35cf

Install Lifecycle Repeated Payload: preinstall,postinstall="node run.js"

Early detection

PkgRadar flagged this 1h before public disclosure

Detected 2026-06-18 · disclosed as MAL-2026-6099 on 2026-06-18

Why PkgRadar flagged 1.0.0

SeveritySignalEvidence
highInstall Lifecycle Repeated Payloadpreinstall,postinstall="node run.js" · package.json
highNew Account With Lifecycle Hookpackage first published 0 day(s) ago, 1 total version(s), has lifecycle hook · package.json
mediumSuspicious Publish Context{"package_age_days":0,"publisher":"devutils2026","burst_same_day":9,"burst_week":9,"lure":{"kind":"token_affix","target":"read"},"version_anomaly":false,"new_account":false}

Scanned versions

VersionVerdictScoreScanned (UTC)
1.0.0High risk502026-06-18

Related campaigns

Block this in CI

PkgRadar gates stream-read-35cf (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem npm [email protected]
Start free — 25 scans / moView full evidence