Which versions of @helpcentre/tesco-help are malicious?

The following npm versions of @helpcentre/tesco-help are flagged malicious: 999.0.0. Treat any of these as compromised.

How do I remediate @helpcentre/tesco-help if I installed it?

Remove @helpcentre/tesco-help from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is @helpcentre/tesco-help part of a known attack campaign?

Yes — @helpcentre/tesco-help is associated with the IN-MAL-2026-005281, IN-MAL-2026-005282 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect @helpcentre/tesco-help in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking @helpcentre/tesco-help and packages like it before any post-install script runs.

Malicious package

@helpcentre/tesco-helpnpm

Malicious code in @helpcentre/tesco-help (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5521

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall @helpcentre/tesco-help

What this malware does

On npm install, the postinstall hook runs node index.js, which performs an HTTPS POST to https://f1ackavab3.execute-api.eu-west-2.amazonaws.com/ carrying the installer's hostname (os.hostname()) and current working directory (process.cwd()) as JSON. The package has no other functionality. The scoped name @helpcentre/tesco-help targets a Tesco-branded internal namespace, and the inflated 999.0.0 version is the canonical dependency-confusion technique used to override a private package of the same name when an installer's registry config falls back to public npm. Installers who resolve this package leak host-identifying reconnaissance data to an attacker-controlled API Gateway endpoint, enabling targeted follow-on attacks against the affected build environment.

Malicious versions

1 flagged

999.0.0

Indicators of compromise (SHA-256)

eb75510e87a08a5152331461c2b2b955ad21d418c8d2055f5f66ec15e22cf042

f12f0ae044f23cb43cc95601156cd73349e8d8ee81c1d8a105b413416540f4d4

Frequently asked questions

No. @helpcentre/tesco-help on npm has been identified as a malicious package (version 999.0.0 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-005281IN-MAL-2026-005282

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection