Which versions of @httpactions/strict-uri-encode are malicious?

The following npm versions of @httpactions/strict-uri-encode are flagged malicious: 1.0.1. Treat any of these as compromised.

How do I remediate @httpactions/strict-uri-encode if I installed it?

Remove @httpactions/strict-uri-encode from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is @httpactions/strict-uri-encode part of a known attack campaign?

Yes — @httpactions/strict-uri-encode is associated with the IN-MAL-2026-007015 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect @httpactions/strict-uri-encode in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking @httpactions/strict-uri-encode and packages like it before any post-install script runs.

Malicious package

@httpactions/strict-uri-encodenpm

Malicious code in @httpactions/strict-uri-encode (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-6140

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall @httpactions/strict-uri-encode

What this malware does

@httpactions/strict-uri-encode impersonates the popular unscoped npm package 'strict-uri-encode' (~30M weekly downloads) by republishing the same name under a lookalike scope. The package ships no URI-encoding functionality; index.js is a heavily obfuscated dropper (obfuscator.io-style 110-entry rotating string array, base64-decoded module names for 'https', 'child_process', 'writeFileSync', 'exec', 'spawn', 'hostname', 'username') that executes immediately on require() and again every ~10 minutes via setInterval. The dropper assembles a hardcoded IP-based URL from base64 fragments (e.g. 'MC44Ni4x' → '0.86.117.x'), HTTPS-GETs a remote payload, writes it to disk via fs.writeFileSync, and executes it via child_process.exec/spawn — yielding arbitrary remote code execution on any machine that requires the module. In parallel, bt() POSTs {ts, type, hid, ss, cc} containing os.hostname() and os.userInfo().username to the same hardcoded IP, exfiltrating installer host identity unconditionally on import and on the 10-minute timer. Combination of typosquatted name, zero legitimate functionality, heavy obfuscation, hardcoded IP C2, host-identity exfiltration, and require-time fetch-and-execute is an unambiguous supply-chain attack.

Malicious versions

1 flagged

1.0.1

Indicators of compromise (SHA-256)

b90fd30f5d52b139ea7be77aa1782a5339f39355ec7ad532af2fa7a49616ff88

Frequently asked questions

No. @httpactions/strict-uri-encode on npm has been identified as a malicious package (version 1.0.1 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-007015

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection