PkgRadar

Package evidence

[email protected]

Js Remote Exe Exec, New Account With Lifecycle Hook, Install Lifecycle Suppresses Failure +4 more

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published
1
First published
Jun 2026
Publisher
malghz

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"high"}'
Publishermalghz
Artifact bytes9,922,134
Previous versionnone
Published2026-06-25T05:38:09.742Z
SHA-2567ed211a7cb81c00be7e855262faaa1eb83f55e46e2c88e70425bc31dae0c4a6b

Why flagged

What the scanner saw

Js Remote Exe Exec

1 candidate cluster(s) currently reference this release.

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

high
Last checked
highRisk
128Score
1.0.0Version
Status history (1 event)
  1. newavailable · risk high · score 128 · status changed

Related candidates

Linked campaigns and clusters

Publisher / release actor burstactive

Publisher burst: malghz

45 members · evidence strength 84
Publisher / release actor burstcandidate

Publisher burst: malghz

45 members · max score 235

Evidence

Static findings

10 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
highJs Remote Exe Execmanifest45
highNew Account With Lifecycle Hookmanifest25
highInstall Lifecycle Suppresses Failuremanifest20
mediumTls Verification Disabledmanifest12
mediumTls Verification Disabledmanifest12
mediumRemote Payloadmanifest12
mediumTls Verification Disabledmanifest12
Show all 10 findings (low-signal and informational)
SeverityKindPathDetailPoints
highJs Remote Exe Execmanifest45
highNew Account With Lifecycle Hookmanifest25
highInstall Lifecycle Suppresses Failuremanifest20
mediumTls Verification Disabledmanifest12
mediumTls Verification Disabledmanifest12
mediumRemote Payloadmanifest12
mediumTls Verification Disabledmanifest12
lowCredential file accessmanifest5
lowCredential file accessmanifest5
lowInstall-time lifecycle scriptmanifest5

Manifest

Package metadata

Dependencies30
  • @dnd-kit/core^6.3.1
  • @dnd-kit/modifiers^9.0.0
  • @dnd-kit/sortable^10.0.0
  • @dnd-kit/utilities^3.2.2
  • @monaco-editor/react^4.7.0
  • @xyflow/react^12.10.1
  • bcryptjs^3.0.3
  • confbox^0.2.4
  • express^5.2.1
  • fs^0.0.1-security
  • http-proxy-middleware^3.0.5
  • jose^6.1.3
  • marked^18.0.1
  • material-symbols^0.45.1
  • monaco-editor^0.55.1
  • next^16.1.6
  • node-forge^1.3.3
  • node-machine-id^1.1.12
  • open^11.0.0
  • ora^9.1.0
  • react19.2.4
  • react-dom19.2.4
  • react-is^19.2.7
  • recharts^3.7.0
  • selfsigned^5.5.0
  • socks-proxy-agent^10.1.0
  • sql.js^1.14.1
  • undici^8.4.1
  • uuid^13.0.0
  • zustand^5.0.10
Optional dependencies3
  • better-sqlite3^12.6.2
  • camoufox-js^0.11.0
  • playwright^1.54.2