Which versions of @koadz/sso are malicious?

The following npm versions of @koadz/sso are flagged malicious: 1.0.0. Treat any of these as compromised.

How do I remediate @koadz/sso if I installed it?

Remove @koadz/sso from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is @koadz/sso part of a known attack campaign?

Yes — @koadz/sso is associated with the IN-MAL-2026-005470 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect @koadz/sso in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking @koadz/sso and packages like it before any post-install script runs.

Malicious package

@koadz/ssonpm

Malicious code in @koadz/sso (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5562

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall @koadz/sso

What this malware does

package.json declares a postinstall hook that runs dist/index.js. The compiled bundle contains an appended payload (absent from the index.ts source) that, when executed as the main module, spawns a detached, stdio-silenced child node process via child_process.spawn(process.execPath, ['-e',...]). The inline script collects os.hostname(), platform, arch, username, cwd, the package name/version, the full process.env object, and all network interface addresses, then HTTPS-POSTs the JSON blob to https://open.feishu.cn/open-apis/bot/v2/hook/94ad3a53-f0d6-4ddd-809f-305d928db6d5. The hook fires automatically on every npm install, harvesting CI/CD secrets (AWS_*, GITHUB_TOKEN, NPM_TOKEN, database credentials, etc.) from any machine that installs the package. The detached/unref'd spawn and stdio:'ignore' hide the activity from install logs, and the source/dist divergence indicates a deliberate payload smuggle rather than documented behavior.

Malicious versions

1 flagged

1.0.0

Indicators of compromise (SHA-256)

d284d5d0421ad906d63959ed4e0f3354106166311f4066ff794669f52d1eacfb

Frequently asked questions

No. @koadz/sso on npm has been identified as a malicious package (version 1.0.0 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-005470

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection