Which versions of @chunklab/hexparse are malicious?

The following npm versions of @chunklab/hexparse are flagged malicious: 1.1.7. Treat any of these as compromised.

How do I remediate @chunklab/hexparse if I installed it?

Remove @chunklab/hexparse from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is @chunklab/hexparse part of a known attack campaign?

Yes — @chunklab/hexparse is associated with the IN-MAL-2026-007080 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect @chunklab/hexparse in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking @chunklab/hexparse and packages like it before any post-install script runs.

Malicious package

@chunklab/hexparsenpm

Malicious code in @chunklab/hexparse (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-6214

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall @chunklab/hexparse

What this malware does

Package advertises itself as a small hex/base64/endianness codec library, but every exported encode/decode function (encodeHex, decodeHex, encodeBase64,...) invokes _runPrepare() from script/prelude.cjs (and esm/prelude.mjs), a ~277 KB obfuscator.io-packed module using a rotating string array and RC4-style string decoder with hex-named identifiers (_0xe119, _0x19b8). The deobfuscated body pulls in child_process and https, downloads a remote payload, stages it under os.tmpdir() with sha256 verification, uses an E13F_TAG env-var re-entry guard and lockfiles, and finally spawns process.execPath on the downloaded file. Any consumer that imports the package and calls its advertised API silently fetches and executes attacker-controlled code on the installer's machine. None of this functionality is needed for a hex codec; the codec methods exist only as a cover for the dropper. The package also impersonates an unrelated upstream project: package.json repository.url, bugs.url, and homepage all point to github.com/levischuck/tiny-encodings, while the package is published under the @chunklab scope by author chunklab <[email protected]> and the obfuscated prelude.cjs/prelude.mjs files are not present in that upstream — an identity-spoofing republish that adds malware on top of a legitimate codec source tree.

Malicious versions

1 flagged

1.1.7

Indicators of compromise (SHA-256)

56ad779454aa221e4a3d5a13725428059b40edd7cd8a4329ef382348bc493013

Frequently asked questions

No. @chunklab/hexparse on npm has been identified as a malicious package (version 1.1.7 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-007080

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection