Which versions of @caspianph/storyteller are malicious?

The following npm versions of @caspianph/storyteller are flagged malicious: 1.1.13. Treat any of these as compromised.

How do I remediate @caspianph/storyteller if I installed it?

Remove @caspianph/storyteller from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is @caspianph/storyteller part of a known attack campaign?

Yes — @caspianph/storyteller is associated with the IN-MAL-2026-006986 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect @caspianph/storyteller in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking @caspianph/storyteller and packages like it before any post-install script runs.

Malicious package

@caspianph/storytellernpm

Malicious code in @caspianph/storyteller (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-6120

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall @caspianph/storyteller

What this malware does

The package ships setup.cjs containing heavily obfuscated JavaScript with hex-mangled identifiers (_0x32549a, _0x4b2b44, _0x78c349, _0x119ac2) typical of payload-hiding techniques. A file named setup.cjs in an npm package is structurally positioned to be invoked from a lifecycle hook (preinstall/install/postinstall) or required at module load. Legitimate npm packages do not obfuscate their install-time code; obfuscation in this position is overwhelmingly used to hide network beacons, credential reads, or dropper logic from casual inspection.

Malicious versions

1 flagged

1.1.13

Indicators of compromise (SHA-256)

3bd24daaa395f2e6bfae7c6e6f488a6e114b87e2606ec1bce7dcd4ab6a92f40a

Frequently asked questions

No. @caspianph/storyteller on npm has been identified as a malicious package (version 1.1.13 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-006986

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection