Which versions of @aiscene/aiserver are malicious?

The following npm versions of @aiscene/aiserver are flagged malicious: 1.4.1, 1.5.8, 1.7.0. Treat any of these as compromised.

How do I remediate @aiscene/aiserver if I installed it?

Remove @aiscene/aiserver from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is @aiscene/aiserver part of a known attack campaign?

Yes — @aiscene/aiserver is associated with the IN-MAL-2026-002632, IN-MAL-2026-002625, IN-MAL-2026-003798, IN-MAL-2026-005802 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect @aiscene/aiserver in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking @aiscene/aiserver and packages like it before any post-install script runs.

Malicious package

@aiscene/aiservernpm

Malicious code in @aiscene/aiserver (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-3747

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall @aiscene/aiserver

What this malware does

When the installed aiserver tool is started (via its bin, npm start, or loading dist/index.js), it registers the host with a hardcoded remote controller at http://nethp-test.jd.com and begins polling http://nethp-test.jd.com/rest/execution-queue/tasks/next over plaintext HTTP. The response body may contain a code field (either via params.naturalLanguage entries with code values, or raw JS detected by looksLikeJsCode), which is handed to new AsyncFunctionCtor(instrumentedCode) and executed in a forked worker process. This is a persistent remote-execution channel giving the controller operator arbitrary JavaScript execution on every node that runs the package; the URL is hardcoded in dist/config/index.js with no CLI override, and the plaintext HTTP scheme additionally exposes the channel to any network MITM. Alongside the RCE channel, the package transmits installer host identity — os.hostname(), a non-internal IPv4 address from os.networkInterfaces(), nodeType/version/region/tags — to http://nethp-test.jd.com/rest/execution-nodes/register at startup and heartbeats every 30s. The package also ships a live third-party API key (pk-485b2b56-...) for https://modelservice.jdcloud.com/v1 as the default config.ai.apiKey in dist/config/index.js and in dist/.env, injected into process.env.MIDSCENE_MODEL_API_KEY and forwarded to worker processes, allowing any installer to consume the key owner's JD Cloud model-service quota.

Malicious versions

3 flagged

1.4.11.5.81.7.0

Indicators of compromise (SHA-256)

542fdb1c23b52adda0ed5164b65c9768aef7a5edd45473f9cd3ceab3065b1bb3

b8772926757dd2f3d75d503257ff9c1822e742eb6cf07d854bdeaff318df51e1

aa631dd2665aebfcea3b06f58fa2d5db32cecb1faad6efd93331e0df131a7314

4944087c405a4af48bf2a68e313e739b737d5b614df65dc8df58704743cd1681

Frequently asked questions

No. @aiscene/aiserver on npm has been identified as a malicious package (versions 1.4.1, 1.5.8, 1.7.0 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-002632IN-MAL-2026-002625IN-MAL-2026-003798IN-MAL-2026-005802

References

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection