Which versions of @chunklab/hexparse are malicious?

The following npm versions of @chunklab/hexparse are flagged malicious: 1.1.7. Treat any of these as compromised.

How do I remediate @chunklab/hexparse if I installed it?

@chunklab/hexparse is a typosquat — you almost certainly intended a legitimately-named package. Remove @chunklab/hexparse, install the correct package, and rotate any secrets exposed during the install since post-install scripts may have already run.

I already installed @chunklab/hexparse — how do I know if it already compromised me?

If @chunklab/hexparse was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is @chunklab/hexparse part of a known attack campaign?

Yes — @chunklab/hexparse is associated with the IN-MAL-2026-007080 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find @chunklab/hexparse across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for @chunklab/hexparse (version 1.1.7). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging @chunklab/hexparse across your stack and pipelines.

Malicious package

@chunklab/hexparsenpm

Malicious code in @chunklab/hexparse (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-6214

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall @chunklab/hexparse

What this malware does

Package advertises itself as a small hex/base64/endianness codec library, but every exported encode/decode function (encodeHex, decodeHex, encodeBase64,...) invokes _runPrepare() from script/prelude.cjs (and esm/prelude.mjs), a ~277 KB obfuscator.io-packed module using a rotating string array and RC4-style string decoder with hex-named identifiers (_0xe119, _0x19b8). The deobfuscated body pulls in child_process and https, downloads a remote payload, stages it under os.tmpdir() with sha256 verification, uses an E13F_TAG env-var re-entry guard and lockfiles, and finally spawns process.execPath on the downloaded file. Any consumer that imports the package and calls its advertised API silently fetches and executes attacker-controlled code on the installer's machine. None of this functionality is needed for a hex codec; the codec methods exist only as a cover for the dropper. The package also impersonates an unrelated upstream project: package.json repository.url, bugs.url, and homepage all point to github.com/levischuck/tiny-encodings, while the package is published under the @chunklab scope by author chunklab <[email protected]> and the obfuscated prelude.cjs/prelude.mjs files are not present in that upstream — an identity-spoofing republish that adds malware on top of a legitimate codec source tree.

Malicious versions

1 flagged

1.1.7

Indicators of compromise (SHA-256)

56ad779454aa221e4a3d5a13725428059b40edd7cd8a4329ef382348bc493013

Detection & response playbook

Typosquat

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for @chunklab/hexparse (version 1.1.7). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging @chunklab/hexparse across your stack and pipelines.
If you installed it — respond
@chunklab/hexparse is a typosquat — you almost certainly intended a legitimately-named package. Remove @chunklab/hexparse, install the correct package, and rotate any secrets exposed during the install since post-install scripts may have already run.
Did it already run?
If @chunklab/hexparse was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks @chunklab/hexparse before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. @chunklab/hexparse on npm has been identified as a malicious package (version 1.1.7 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-007080

References

npmjs.com

Credits

Amazon Inspector · finder

Detect & block this

O3 blocks @chunklab/hexparse-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the malicious outbound activity and severs the channel.

Malware detection Runtime egress monitoring