Which versions of @flipbit2-bb/test-auth-state are malicious?

The following npm versions of @flipbit2-bb/test-auth-state are flagged malicious: 0.0.2. Treat any of these as compromised.

How do I remediate @flipbit2-bb/test-auth-state if I installed it?

Remove @flipbit2-bb/test-auth-state from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound activity or persistence.

I already installed @flipbit2-bb/test-auth-state — how do I know if it already compromised me?

If @flipbit2-bb/test-auth-state was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is @flipbit2-bb/test-auth-state part of a known attack campaign?

Yes — @flipbit2-bb/test-auth-state is associated with the IN-MAL-2026-003395, IN-MAL-2026-003396 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find @flipbit2-bb/test-auth-state across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for @flipbit2-bb/test-auth-state (version 0.0.2). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging @flipbit2-bb/test-auth-state across your stack and pipelines.

Malicious package

@flipbit2-bb/test-auth-statenpm

Malicious code in @flipbit2-bb/test-auth-state (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-4389

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall @flipbit2-bb/test-auth-state

What this malware does

On npm install, a postinstall script (phone-home.js) collects os.hostname(), os.userInfo().username, process.platform + os.release(), a timestamp, and a package label, then issues an HTTPS GET to https://webhook.site/a536b433-b440-43ec-8399-26059196216e. The package is published under @flipbit2-bb/test-auth-state but the bundled tarball, README, and the phone-home payload's v field all identify as @atlassiansox/[email protected] — a dependency-confusion targeting of Atlassian's internal scope, with version 99.99.99 chosen to win internal-vs-public resolution. Any installer who pulls this package — not just the intended target — leaks host identifiers to the author's webhook.site endpoint. The package has no other functionality.

Malicious versions

1 flagged

0.0.2

Indicators of compromise (SHA-256)

52ba26e89d1aca1f10772bf4cc8c9b23a436a39a8442fdf4ba9abf6c4c890e63

f5b20d9f984339db71670891222b3ac823f16fc30dca773e09a111b0b3fed8fa

Detection & response playbook

Malicious package

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for @flipbit2-bb/test-auth-state (version 0.0.2). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging @flipbit2-bb/test-auth-state across your stack and pipelines.
If you installed it — respond
Remove @flipbit2-bb/test-auth-state from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound activity or persistence.
Did it already run?
If @flipbit2-bb/test-auth-state was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks @flipbit2-bb/test-auth-state before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. @flipbit2-bb/test-auth-state on npm has been identified as a malicious package (version 0.0.2 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-003395IN-MAL-2026-003396

References

npmjs.com

Credits

Amazon Inspector · finder

Detect & block this

O3 blocks @flipbit2-bb/test-auth-state-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the malicious outbound activity and severs the channel.

Malware detection Runtime egress monitoring