Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
Malicious package

@gusmano/reextnpm

Malicious code in @gusmano/reext (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-3684
Immediate action
Remove the package, then rotate any secrets the build/runtime could reach.
npm uninstall @gusmano/reext

What this malware does

The npm preinstall lifecycle script (dist/scripts/preinstall.js, wired via package.json "preinstall": "node./dist/scripts/preinstall.js") reads the installer's ~/.gitconfig via iniparser.parseSync(home_dir+'/.gitconfig') and the OS username via os.userInfo().username, then issues an HTTPS GET to the hardcoded endpoint https://2tak.l.serverhost.name:1962/mobile/reext with osname, gitname, and gitemail supplied as query parameters. The code explicitly branches on if (osname === 'xmarcgusmano') { server = 'http://localhost:1962' } else { server = 'https://2tak.l.serverhost.name:1962' }, confirming that the remote-host path fires for every installer that is not the author's own machine — a deliberate exfiltration path gated by the author's own username. The destination is not a documented vendor endpoint; it is an author-controlled third-party host the installer did not opt into. Separately, dist/scripts/postinstall.js resolves path.resolve(__dirname, '../../package.json') (the consuming project's own package.json relative to node_modules/@gusmano/reext/dist/scripts/) and rewrites it, deleting scripts.dev/build/test/watch/coverage, the entire scripts key, eslintConfig, devDependencies, and dependencies, then rm -rf's several dist subfolders — destructive, unauthorized mutation of the installer's project files. The combination (silent install-time exfiltration of personal identity data to an author-controlled host plus destructive rewrite of the consumer's manifest) is unambiguously harmful to installers.

Malicious versions

34 flagged
0.0.920.0.980.0.1040.0.1210.0.1280.0.1480.0.1500.0.1660.0.1690.0.1880.0.1900.0.1970.0.1980.0.2090.0.2160.0.2180.0.2220.0.2230.0.2350.0.2360.0.2370.0.2500.0.2510.0.2550.0.2610.0.2760.0.3150.0.3170.0.3240.0.3460.0.3520.0.3580.0.3900.0.473

Indicators of compromise (SHA-256)

054b16cbfefbf8db2833bc11292a221388ea6f846f479accff78585e1f2fa27a
3f9749ef494686a44f85606ca4b3f074373275808013fe9e59f1797bcca9b0fe
4e84657e6ccdec00cd4972691de05d04081c98b7e7734ff7b94688059e9ea502
4f0ba19a2a776ef66ddeb23ebec68f2d5adfc1ea203f8be9fa14dfdd9906099f
95b6cc3a3852fd4256b505e0f495070b12c74c2845ddb074ca10c2f976780783
2d48ef0582a31947906fbeaa4735eae0d3fb69cab51e118f28fc293c3fe2aafe
3c1869cfa68f4b777e7d2a65a1c002bbe6b69fd157dbec48f2c0c8244403b8f9
69da331d08f2262e165c6f05b979bf5862d21877627b226ce3018c30b312f4b7
7225ee364b6bf2e68d8f94df0f0fb8ff3212495a1f86a81cd95036add33b1297
8a5af26cfe6ec2086ff01bcd884e78204e9ebe556ab1149a276e4788f2e16b30
25cb2d1c27f93198a0c22c0d91516b40bdf72db5b27d7684fb693a1adf1b6d52
41da396e871fb4898617c8ee8c9862016e8327d344aa9ca92286cd08613960ed
5eb7e3818b728594ca78e7ee60ebbc307a572c55e2edc1736f3098b0bbe7858f
87c1df2138a5b8fc918fd76b3b12da6f03ad345b480fe582f03005a7511ff4fa
a7634086135630c5a74eb9c337cae198a015db1f42136a87f900fc3c8f2f4824
d565c09d7b68f3745a1c0545035718c847f53dd80f56a27f3074f97e8b65f9e9
903527699f939e76923ea5d5489cd0665e503d34875c63f0baa2d202f3c3998e
963bc7a7692aaa83951959252a82fbecd043a194a3c12444d625c7620ac36469
d8b09993dd148c1c48224b04bb240ae823586dad7e365ef187e9c33f9882cfe5
98f647eef993d1ceac73629adfc39a5689b98f0161c8c3f6019cff9272e553b6
bfcc3256d46cea7ccc02dbc0e50a9015c0940e2d22086de24264028d99b14a99
e6b616cdc46faca34ffe75e19ffdc3bbc2833a2e53c836f160cd6d5ec8bfcef5
1763e928ff0b87df04094d5bca515f3f2ec8463995334b4110e3e1f73853faff
9a642c1aa5d84d03416e8c3843b240ba0571769a46a0a31a92d608d2f23e28a2
ab27a2a93e92f11d66bff9eef79afedc03b4ead3c918ada268ded094776c373b
f8acda3286b967516c42f496d9ee65e9ec1a516fc6a4b3d39229f7af55c85093
14ec79ee9c39e64f5d26977a7c08fe71a46f3c1b67ce5c6e06fc4c1202f269cb
1ec70d753468edf1751ee01595c8a053c8d5dfc472480e3aa0c74384e025b830
28ab5771dc3ec13fc89f470d11d113f060102a6013ad8efd88a7e4e3474b6b61
498a21b60dcdfe236ea0b1683e1ec64aa091643b6ad562c3845757eed79660d8
93dad7200065f05081e2a92304855d3363c2b589a5c7957b7e6a361d527992de
0eeb28e0cfbeccaea95b07a1c2f192257c44bb8f851fcba9de2c9a8f1286acdf
2ab4ef352a13242ba01ac7d9d9b5f81af97ec18c9c97026bd9f7b20f743d4c9e
2abe8240ad32db3f0f17d2d4bbeaec396bdc6dc540a0da1af69aa0dc62f16fcc

Detection & response playbook

Credential / info stealer

  1. Find it

    Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for @gusmano/reext (34 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging @gusmano/reext across your stack and pipelines.

  2. If you installed it — respond

    @gusmano/reext is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.

  3. Did it already run?

    If @gusmano/reext was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

  4. How O3 protects you

    O3 blocks @gusmano/reext before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. @gusmano/reext on npm has been identified as a malicious package (versions 0.0.92, 0.0.98, 0.0.104, 0.0.121, 0.0.128, 0.0.148, 0.0.150, 0.0.166, and 26 more flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-002614IN-MAL-2026-002578IN-MAL-2026-002590IN-MAL-2026-002567IN-MAL-2026-002577IN-MAL-2026-002595IN-MAL-2026-002571IN-MAL-2026-002593IN-MAL-2026-002580IN-MAL-2026-002574IN-MAL-2026-002581IN-MAL-2026-002565IN-MAL-2026-002584IN-MAL-2026-002592IN-MAL-2026-002579IN-MAL-2026-002569IN-MAL-2026-002596IN-MAL-2026-002588IN-MAL-2026-002599IN-MAL-2026-002609IN-MAL-2026-002583IN-MAL-2026-002591IN-MAL-2026-002573IN-MAL-2026-002616IN-MAL-2026-002570IN-MAL-2026-002586IN-MAL-2026-002610IN-MAL-2026-002601IN-MAL-2026-002589IN-MAL-2026-002582IN-MAL-2026-002575IN-MAL-2026-002613IN-MAL-2026-002597IN-MAL-2026-002566

References

Credits

  • Amazon Inspector · finder

Detect & block this

O3 blocks @gusmano/reext-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.

Malware detection Runtime egress monitoring
@gusmano/reext (npm) malicious package — MAL-2026-3684 | O3 Security