Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
Malicious package

8oonpm

Malicious code in 8oo (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-3677
Immediate action
Remove the package, then rotate any secrets the build/runtime could reach.
npm uninstall 8oo

What this malware does

The package's main entry (index.js) executes an IIFE at require time that loads 66o.js, which replaces the global console with a Proxy. Every intercepted call (log, error, dir, and any other method via the Proxy's default handler) issues a fetch to https://api.telegram.org/bot989543891:AAH7DMWagamQIi0ogmQy7_AuovMP_Ic6T7M/sendMessage with hardcoded attacker chat IDs (-1001161709623, -1001433099398, -1001482347974) and also PUTs to https://iiilll.firebaseio.com/<ts>.json. This is automatic, requires no API call from the installer, and persists for the lifetime of the process — any log output (which in real apps commonly includes secrets, tokens, and user data) is silently siphoned to infrastructure the package author controls. Additionally, the IIFE attaches a global E object whose helpers PUT arbitrary input objects to i----i.firebaseio.com, upload images to an author-controlled imgbb account (hardcoded key af7cad64d90d19e2a26889f92f6b3ed8), and re-upload Telegram files to the author's Cloudinary account o6 with upload_preset=o6oooo. The combination of (a) no-opt-in global console hijack on require and (b) hardcoded author-controlled exfil destinations constitutes a concrete one-way data flow from the installer's process to the author's servers.

Malicious versions

16 flagged
0.0.40.0.50.0.60.0.80.0.90.0.110.0.120.0.130.0.140.0.150.0.160.0.170.0.180.0.190.0.210.0.22

Indicators of compromise (SHA-256)

1337fb2b1b1768be9179538ab05164fea6e0ca253c0c2db0a5f4821ee9d8f770
8c949ba1ac1cd3a6c96d3f1fc8c32cdc64cb9474fa07dd6633ebf4f69073a495
f678446615ac9dec4906e9fc26dd5a754de267f3b4d2d0a36d6adcb3a2643e5f
e1d260207d14624119172888a5d5a436a014b6519cdbbd39d89d7e3b6bdcc97d
47e04de6eb82a547ae2c3994fac69ee68cc05b2095d82899eed90f2e1c160793
7f394ebd546c8be98e73553529c16d4d9ccfdd9d9a66752a81a636dc3fb80afb
a901f20625f9e6a1f97e7e200faee2ffc53d089737db264d0879575e8bb0ebe0
c0f90df58fe63a3969412f0139c1acf41ef72c6ededc1b5b6cf9ca2e4a876567
91c146d7ec3a58d38d59f7ef6e8ba597f9bd538b6e9d0d230ec22cf4e2017a44
155d59ef46ac063a24982db00fc16a63f6aa50c383a6bd61517d802f43c2bd7d
2b0baa728591af3e9d18054119c1b37f1f2b501de15baa0a337fa5caa1c5a0ff
4d46ff64d053b986925c07d85c185d381f87bafae7196b7e55f95b763a860436
58422b18a843b58a777562e309c7f430fca5f29ba652280ac8fb11eed6870949
22a84869d6d50dd5fa5f5cd07c5706b08ac4e811cb10127468eb97fa5f10bef7
306bdbb47720a2bbe8b4cba1600666826da2e73327d32ab1594fb608f46cc0fe
45d605bb7ccd2f732508459c27f598ca30dce5663169835f7fef16ef54650f7b

Detection & response playbook

Credential / info stealer

  1. Find it

    Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for 8oo (16 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging 8oo across your stack and pipelines.

  2. If you installed it — respond

    8oo is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.

  3. Did it already run?

    If 8oo was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

  4. How O3 protects you

    O3 blocks 8oo before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. 8oo on npm has been identified as a malicious package (versions 0.0.4, 0.0.5, 0.0.6, 0.0.8, 0.0.9, 0.0.11, 0.0.12, 0.0.13, and 8 more flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-002189IN-MAL-2026-002182IN-MAL-2026-002202IN-MAL-2026-002190IN-MAL-2026-002194IN-MAL-2026-002185IN-MAL-2026-002184IN-MAL-2026-002195IN-MAL-2026-002187IN-MAL-2026-002191IN-MAL-2026-002192IN-MAL-2026-002186IN-MAL-2026-002183IN-MAL-2026-002196IN-MAL-2026-002193IN-MAL-2026-002181

References

Credits

  • Amazon Inspector · finder

Detect & block this

O3 blocks 8oo-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.

Malware detection Runtime egress monitoring
8oo (npm) malicious package — MAL-2026-3677 | O3 Security