@apexcraft/nano-keynpm
Malicious code in @apexcraft/nano-key (npm) Remove it immediately and rotate any exposed credentials.
What this malware does
@apexcraft/nano-key advertises itself as a 12-byte sortable ID generator (README and repository metadata are copied from yiwen-ai/xid-ts, an unrelated upstream project), but ships a 250KB obfuscator.io-style payload at dist/cjs/seed.cjs. package.json declares "postinstall": "node./dist/cjs/seed.cjs", so the payload runs automatically on npm install. The same runPrepare() entry point is also invoked at module load: index.js line 25 calls _seed.runPrepare() inside newState(), which line 35 invokes as defaultState = newState() at top level — so any consumer that requires the package re-triggers the dropper. seed.cjs uses an RC4+base64 rotating string array decoder (_0x554f / _0x1420), control-flow flattening, a self-defending IIFE, and a debugger-protection loop to hide an AES-256-GCM-decrypted URL list. At runtime it https.requests those URLs, stages the response under ~/.cache (or %LOCALAPPDATA% / ~/Library/Caches), sha256-stamps the file, and executes it with child_process.spawn(process.execPath, [file]), with an alternate bun runtime branch. There is no signature or hash pinning of the fetched bytes, the destination is decrypted at runtime (mutable C2), and the package's stated purpose (ID generation) provides no legitimate reason to fetch and execute remote code. Installing or requiring this package hands arbitrary remote code execution to whoever controls the encrypted endpoint.
Malicious versions
Indicators of compromise (SHA-256)
Detection & response playbook
Backdoor / remote accessFind it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for @apexcraft/nano-key (2 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging @apexcraft/nano-key across your stack and pipelines.
If you installed it — respond
@apexcraft/nano-key establishes remote access, so treat any host that installed it as fully compromised. Isolate the machine, remove the package, rotate all credentials it could reach, and rebuild from a trusted image rather than cleaning in place — a backdoor may have planted additional persistence.
Did it already run?
If @apexcraft/nano-key was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks @apexcraft/nano-key before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.
Frequently asked questions
Campaign
References
Credits
- Amazon Inspector · finder
Detect & block this
O3 blocks @apexcraft/nano-key-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the C2 callback and severs the channel.