What does the 88q malware do?

The main entrypoint index.js runs an IIFE at require time that monkey-patches the global console.warn and console.error methods. After the override, every subsequent console.warn/console.error call in the host process causes the first argument to be JSON-stringified, URL-encoded, and sent via HTTPS GET to https://api.telegram.org/bot /sendMessage with hardcoded chat_ids (-1001161709623 for warn, -1001433099398 for error). The package exports only the undefined return value of the IIFE and provides no legitimate API, meaning its sole effect is the silent installation of a global diagnostic-log exfiltration channel. Any installer whose code runs console.warn/console.error after loading t

Which versions of 88q are malicious?

The following npm versions of 88q are flagged malicious: 1.0.2, 1.0.7, 1.1.1, 1.1.4, 1.1.5, 1.2.3, 1.2.4, 1.2.5, 1.2.6, 1.2.7, 1.3.2, 1.3.3, 1.3.5, 1.3.6, 1.4.6, 1.4.7, 1.4.8, 1.4.9. Treat any of these as compromised.

How do I remediate 88q if I installed it?

88q is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.

I already installed 88q — how do I know if it already compromised me?

If 88q was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

How do I find 88q across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for 88q (18 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging 88q across your stack and pipelines.

Malicious package

88qnpm

Malicious code in 88q (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-3676

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall 88q

What this malware does

The main entrypoint index.js runs an IIFE at require time that monkey-patches the global console.warn and console.error methods. After the override, every subsequent console.warn/console.error call in the host process causes the first argument to be JSON-stringified, URL-encoded, and sent via HTTPS GET to https://api.telegram.org/bot<token>/sendMessage with hardcoded chat_ids (-1001161709623 for warn, -1001433099398 for error). The package exports only the undefined return value of the IIFE and provides no legitimate API, meaning its sole effect is the silent installation of a global diagnostic-log exfiltration channel. Any installer whose code runs console.warn/console.error after loading this module will leak log contents — which frequently include error stack traces, DB error messages, internal file paths, auth failures, and other sensitive runtime data — to an attacker-controlled Telegram chat. Additional unreachable files (t.js, o.js, jq.js) contain author-owned Cloudflare, MapQuest, and Firebase credentials; these are author self-harm and not the basis for blocking, but reinforce that the package is a personal project with a clear installer-targeted backdoor in the main module.

Malicious versions

18 flagged

1.0.21.0.71.1.11.1.41.1.51.2.31.2.41.2.51.2.61.2.71.3.21.3.31.3.51.3.61.4.61.4.71.4.81.4.9

Indicators of compromise (SHA-256)

0daa9fcdb5d5f8808d593664e1b459e30660c8749d7c37dbe39fad309d53c2ec

46f300e5c1c263dd0307e51ce4c6146c3bb6154eb4b45093d7dfc21378b90ac0

a5c54735e94f20ebb4b49b4177b53ba59461d01d657179d7ce74bc3372f74bf5

b51245ca46fd91fd3c5ead2e0ac6c307c79426ec89192cc4b8de4a370901baf8

c7c50f85652ce401d24ae482911088ba99a9c0bbc20c557b8cce7d07559b59b1

d98117e6352bdd43b27d69a1e157fbfd0792fc629f42f910b7aed480f6c50ac3

dfd483376dbe937b7e7944ef32e50ac3fae4144f8f2825b3eb2abfbd6009f10f

181f84c5f19279c4de19e1dcc4ab8968c1a96dc20ad4801e555fb55b45144c48

471e567a6621adb423bb511da078fc447bf20839bbc219d9e91d21216427e20f

514aa6166f2c533d4eb01618bf699f05b80f71182021bd11125e6bfa47b3451a

6da9a1199176e2f5ccc8b7a2ad8b199fdf2ee3256282fb65d693fc0c36e621a8

ad5fecc5879a38dfd2ab65870607b5b901efcf12588e4ac884eef9302291fb07

bb8c30d7cc35d6f8f3a8d4827195bad9da5cb74720dc385bcfec156ccd7e4464

fbfaaf434d15398e9b0c645145489909ea3ff45fa8e155dfee7d830e3a4c7758

d00b5a2b45065c4989659e04a1216635187c72b794e741a3600b16ee71f14939

73d938c4e6ec0dc716f1e2f02365307ffeb88d1253ef924f3da6dae795ae9839

cb830829cae1605ff7626653a2470db03cd5a5aab98b3f0a7f5912eaf244561b

f24a3b6ad6eacf11a818ca5e6d4f366d8bee9a4c348f474a2dfafcb2c7f8b80c

Detection & response playbook

Credential / info stealer

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for 88q (18 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging 88q across your stack and pipelines.
If you installed it — respond
88q is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.
Did it already run?
If 88q was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks 88q before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. 88q on npm has been identified as a malicious package (versions 1.0.2, 1.0.7, 1.1.1, 1.1.4, 1.1.5, 1.2.3, 1.2.4, 1.2.5, and 10 more flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-002489IN-MAL-2026-002503IN-MAL-2026-002494IN-MAL-2026-002500IN-MAL-2026-002487IN-MAL-2026-002495IN-MAL-2026-002504IN-MAL-2026-002490IN-MAL-2026-002501IN-MAL-2026-002498IN-MAL-2026-002488IN-MAL-2026-002499IN-MAL-2026-002492IN-MAL-2026-002493IN-MAL-2026-002502IN-MAL-2026-002496IN-MAL-2026-002497IN-MAL-2026-002491

References

Credits

Amazon Inspector · finder

Detect & block this

O3 blocks 88q-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.

Malware detection Runtime egress monitoring