Which versions of @langgraphjs/toolkit are malicious?

The following npm versions of @langgraphjs/toolkit are flagged malicious: 1.2.10. Treat any of these as compromised.

How do I remediate @langgraphjs/toolkit if I installed it?

@langgraphjs/toolkit is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.

I already installed @langgraphjs/toolkit — how do I know if it already compromised me?

If @langgraphjs/toolkit was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is @langgraphjs/toolkit part of a known attack campaign?

Yes — @langgraphjs/toolkit is associated with the IN-MAL-2026-005818, IN-MAL-2026-005819 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find @langgraphjs/toolkit across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for @langgraphjs/toolkit (version 1.2.10). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging @langgraphjs/toolkit across your stack and pipelines.

Malicious package

@langgraphjs/toolkitnpm

Malicious code in @langgraphjs/toolkit (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-2509

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall @langgraphjs/toolkit

What this malware does

Package collects and sends sensitive system info to a hardcoded server. The package masquerades as a LangGraph JS utility but contains a malicious postinstall script.

On npm install, scripts/postinstall.js harvests installer identity and ships it to https://npm-package-logger-228835561205.europe-west1.run.app/ via HTTPS POST. Collected fields include os.hostname(), os.userInfo().username, process.cwd(), the git committer email parsed from ~/.gitconfig / ~/.config/git/config / CWD/.git/config, and the GitHub login/email parsed from ~/.config/gh/hosts.yml (the gh CLI's authenticated-host store, which is credential-adjacent installer-owned state the package did not write). The README and the script's banner claim only platform/Node-version/anonymized-hash data is transmitted and that 'no credentials are ever transmitted' — this is a deliberate cover story; the actual payload contains raw hostname, OS username, SCM email, and GitHub login. The destination is a generic Google Cloud Run subdomain unrelated to the package's stated homepage (langgraphjs.guide). The package name @langgraphjs/toolkit and its install instructions (which direct users to install it alongside @langchain/langgraph) impersonate the official LangChain/LangGraph ecosystem; the author domain langgraphjs.guide is not LangChain-controlled. Namespace impersonation combined with consent-violating identity exfiltration on install.

Malicious versions

1 flagged

1.2.10

Indicators of compromise (SHA-256)

5da55bbb47afb596b9c1cfdb5e7e506568fe98d8f55690ef0e62af9a23a9ea4d

274245b3c75b3f39ef78565ae52347547a651bf2a3f9c6510c6d83832c7311a2

b35ab710ea743243a1edc74aad1ef0774efdd42d56a0b648fde3a9791e3a5012

Detection & response playbook

Credential / info stealer

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for @langgraphjs/toolkit (version 1.2.10). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging @langgraphjs/toolkit across your stack and pipelines.
If you installed it — respond
@langgraphjs/toolkit is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.
Did it already run?
If @langgraphjs/toolkit was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks @langgraphjs/toolkit before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. @langgraphjs/toolkit on npm has been identified as a malicious package (version 1.2.10 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-005818IN-MAL-2026-005819

References

Credits

Amazon Inspector · finder
SafeDep · finder

Detect & block this

O3 blocks @langgraphjs/toolkit-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.

Malware detection Runtime egress monitoring