Which versions of @apexcraft/nano-key are malicious?

The following npm versions of @apexcraft/nano-key are flagged malicious: 1.3.4, 1.3.8. Treat any of these as compromised.

How do I remediate @apexcraft/nano-key if I installed it?

Remove @apexcraft/nano-key from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is @apexcraft/nano-key part of a known attack campaign?

Yes — @apexcraft/nano-key is associated with the IN-MAL-2026-007076, IN-MAL-2026-007077 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect @apexcraft/nano-key in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking @apexcraft/nano-key and packages like it before any post-install script runs.

Malicious package

@apexcraft/nano-keynpm

Malicious code in @apexcraft/nano-key (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-6210

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall @apexcraft/nano-key

What this malware does

@apexcraft/nano-key advertises itself as a 12-byte sortable ID generator (README and repository metadata are copied from yiwen-ai/xid-ts, an unrelated upstream project), but ships a 250KB obfuscator.io-style payload at dist/cjs/seed.cjs. package.json declares "postinstall": "node./dist/cjs/seed.cjs", so the payload runs automatically on npm install. The same runPrepare() entry point is also invoked at module load: index.js line 25 calls _seed.runPrepare() inside newState(), which line 35 invokes as defaultState = newState() at top level — so any consumer that requires the package re-triggers the dropper. seed.cjs uses an RC4+base64 rotating string array decoder (_0x554f / _0x1420), control-flow flattening, a self-defending IIFE, and a debugger-protection loop to hide an AES-256-GCM-decrypted URL list. At runtime it https.requests those URLs, stages the response under ~/.cache (or %LOCALAPPDATA% / ~/Library/Caches), sha256-stamps the file, and executes it with child_process.spawn(process.execPath, [file]), with an alternate bun runtime branch. There is no signature or hash pinning of the fetched bytes, the destination is decrypted at runtime (mutable C2), and the package's stated purpose (ID generation) provides no legitimate reason to fetch and execute remote code. Installing or requiring this package hands arbitrary remote code execution to whoever controls the encrypted endpoint.

Malicious versions

2 flagged

1.3.41.3.8

Indicators of compromise (SHA-256)

a07948bbe7c664c2248fc90112dccc0258f9857706b50eed5f68e7ddd7dc6f62

c46938b3634fb4de89ddf44b765e1c766c871a40fb31c54609c1b3526074e65c

Frequently asked questions

No. @apexcraft/nano-key on npm has been identified as a malicious package (versions 1.3.4, 1.3.8 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-007076IN-MAL-2026-007077

References

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection