Which versions of @ci-lifecycle-test/postinstall-ping are malicious?

The following npm versions of @ci-lifecycle-test/postinstall-ping are flagged malicious: 1.0.0. Treat any of these as compromised.

How do I remediate @ci-lifecycle-test/postinstall-ping if I installed it?

Remove @ci-lifecycle-test/postinstall-ping from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is @ci-lifecycle-test/postinstall-ping part of a known attack campaign?

Yes — @ci-lifecycle-test/postinstall-ping is associated with the IN-MAL-2026-006274, IN-MAL-2026-006273 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect @ci-lifecycle-test/postinstall-ping in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking @ci-lifecycle-test/postinstall-ping and packages like it before any post-install script runs.

Malicious package

@ci-lifecycle-test/postinstall-pingnpm

Malicious code in @ci-lifecycle-test/postinstall-ping (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5723

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall @ci-lifecycle-test/postinstall-ping

What this malware does

The package's postinstall lifecycle script (postinstall.js) executes automatically on npm install and POSTs the JSON-serialized contents of the entire process.env to https://eoarlb39lor5s7x.m.pipedream.net. The fetch is wired with .catch(() => {}) so the exfiltration fails silently and produces no installer-visible error. On CI runners and developer machines, process.env routinely holds high-value secrets (GITHUB_TOKEN, NPM_TOKEN, AWS_ACCESS_KEY_ID/SECRET_ACCESS_KEY, CI provider tokens, arbitrary deploy credentials), all of which are shipped to the attacker-controlled Pipedream webhook in a single bulk dump. There is no license-check, telemetry-disclosure, or other legitimate reason to enumerate the entire environment; the indiscriminate serialization combined with a third-party webhook destination is the canonical install-time credential-harvest shape.

Malicious versions

1 flagged

1.0.0

Indicators of compromise (SHA-256)

47c5e4ee38e9d87c1968c83d8998cb9832d2e72445558ac35217671f1f61d64b

75c160ad40a237c1e682c696ebd0aec2861ca072f47bd5b725bc80f7f95ed509

Frequently asked questions

No. @ci-lifecycle-test/postinstall-ping on npm has been identified as a malicious package (version 1.0.0 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-006274IN-MAL-2026-006273

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection