Which versions of @ceeferenderer/itg-renderer-sdk are malicious?

The following npm versions of @ceeferenderer/itg-renderer-sdk are flagged malicious: 99.9.9. Treat any of these as compromised.

How do I remediate @ceeferenderer/itg-renderer-sdk if I installed it?

@ceeferenderer/itg-renderer-sdk is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.

I already installed @ceeferenderer/itg-renderer-sdk — how do I know if it already compromised me?

If @ceeferenderer/itg-renderer-sdk was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is @ceeferenderer/itg-renderer-sdk part of a known attack campaign?

Yes — @ceeferenderer/itg-renderer-sdk is associated with the IN-MAL-2026-002362 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find @ceeferenderer/itg-renderer-sdk across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for @ceeferenderer/itg-renderer-sdk (version 99.9.9). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging @ceeferenderer/itg-renderer-sdk across your stack and pipelines.

Malicious package

@ceeferenderer/itg-renderer-sdknpm

Malicious code in @ceeferenderer/itg-renderer-sdk (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-2407

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall @ceeferenderer/itg-renderer-sdk

What this malware does

Malicious package due to code obfuscation, dynamic module loading, process exposure, suspicious install script, and untrustworthy author email.

This package performs silent reconnaissance against any machine that installs or requires it. The package.json declares scripts.install = node index.js, and index.js also loads lib/core.js at require() time. lib/core.js obtains the os and dns modules via module.constructor._load(...) — a deliberate bypass of simple require('os')/require('dns') source grep — then reads os.userInfo().username, os.hostname(), and path.basename(process.cwd()), concatenates them with a timestamp and the hard-coded domain oob.sl4x0.xyz, and calls dns.resolve4() on the resulting subdomain. Because oob.sl4x0.xyz is an attacker-controlled authoritative nameserver, the victim's resolver leaks the username, hostname, and working-directory name as DNS query labels. The sensitive identifiers and the domain itself are stored as hex byte arrays in lib/6ad264.js and lib/b02e30.js and reassembled at runtime via String.fromCharCode, and the JS filenames are random hex — clear evasion of static review. Supporting red flags: the author email is [email protected] (same attacker-owned domain), the version is 99.9.9, and the package description is generic. This is active exfiltration of installer-side data executed on both install and import, with no legitimate functionality documented.

Malicious versions

1 flagged

99.9.9

Indicators of compromise (SHA-256)

6f323b1bbcb702f6ba95647783f3bb722e75b2c8324aadb6e42f0580529591b0

51b9fa22264e38705c3a7ba319515ee66036e72ab14c32d08b01a5695aa191b8

Detection & response playbook

Credential / info stealer

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for @ceeferenderer/itg-renderer-sdk (version 99.9.9). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging @ceeferenderer/itg-renderer-sdk across your stack and pipelines.
If you installed it — respond
@ceeferenderer/itg-renderer-sdk is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.
Did it already run?
If @ceeferenderer/itg-renderer-sdk was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks @ceeferenderer/itg-renderer-sdk before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. @ceeferenderer/itg-renderer-sdk on npm has been identified as a malicious package (version 99.9.9 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-002362

References

Credits

Amazon Inspector · finder
SafeDep · finder

Detect & block this

O3 blocks @ceeferenderer/itg-renderer-sdk-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.

Malware detection Runtime egress monitoring