Which versions of @briskforge/envcheck are malicious?

The following npm versions of @briskforge/envcheck are flagged malicious: 0.5.5. Treat any of these as compromised.

How do I remediate @briskforge/envcheck if I installed it?

Remove @briskforge/envcheck from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is @briskforge/envcheck part of a known attack campaign?

Yes — @briskforge/envcheck is associated with the IN-MAL-2026-007078 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect @briskforge/envcheck in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking @briskforge/envcheck and packages like it before any post-install script runs.

Malicious package

@briskforge/envchecknpm

Malicious code in @briskforge/envcheck (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-6212

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall @briskforge/envcheck

What this malware does

The package advertises itself as a tiny environment-variable validator but ships lib/preflight.js, a heavily obfuscated (obfuscator.io string-array rotation, RC4 decoder, ~1228-entry string array, control-flow flattening) ~277KB bundle that runs on every call to the package's main entry point: lib/index.js invokes preflight.runPrepare() at the top of envcheck(). After deobfuscation, lib/preflight.js performs an HTTPS GET to a remote endpoint, AES-256-GCM-decrypts the response using hardcoded key/IV constants embedded in the bundle, writes the decrypted bytes to a cache directory, and spawns them detached via process.execPath / sh with stdio:'ignore' and windowsHide:true. The module also exports onInstall() and self-executes when run as a script (if (require.main === module) { onInstall(); }), with a BRISKFORGE_E13F_TAG environment marker used as an anti-double-exec guard. The remote source is mutable and the decrypted payload is opaque, so any installer that imports the package — or runs the file directly — executes whatever bytes the operator chooses to serve, with no integrity checks. Package metadata compounds the deception: repository.url, bugs.url, and homepage all point at https://github.com/validatorjs/validator.js, an unrelated well-known OSS project, while the publisher is an unrelated ProtonMail account ([email protected]) with no corresponding GitHub presence — a deliberate impersonation to borrow legitimacy from validatorjs on the npm listing page.

Malicious versions

1 flagged

0.5.5

Indicators of compromise (SHA-256)

09dba573f5d6cb00b09562870f2148b3e539786f5d801f2a263338301d759313

Frequently asked questions

No. @briskforge/envcheck on npm has been identified as a malicious package (version 0.5.5 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-007078

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection