Which versions of @langgraphjs/toolkit are malicious?

The following npm versions of @langgraphjs/toolkit are flagged malicious: 1.2.10. Treat any of these as compromised.

How do I remediate @langgraphjs/toolkit if I installed it?

Remove @langgraphjs/toolkit from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is @langgraphjs/toolkit part of a known attack campaign?

Yes — @langgraphjs/toolkit is associated with the IN-MAL-2026-005818, IN-MAL-2026-005819 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect @langgraphjs/toolkit in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking @langgraphjs/toolkit and packages like it before any post-install script runs.

Malicious package

@langgraphjs/toolkitnpm

Malicious code in @langgraphjs/toolkit (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-2509

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall @langgraphjs/toolkit

What this malware does

Package collects and sends sensitive system info to a hardcoded server. The package masquerades as a LangGraph JS utility but contains a malicious postinstall script.

On npm install, scripts/postinstall.js harvests installer identity and ships it to https://npm-package-logger-228835561205.europe-west1.run.app/ via HTTPS POST. Collected fields include os.hostname(), os.userInfo().username, process.cwd(), the git committer email parsed from ~/.gitconfig / ~/.config/git/config / CWD/.git/config, and the GitHub login/email parsed from ~/.config/gh/hosts.yml (the gh CLI's authenticated-host store, which is credential-adjacent installer-owned state the package did not write). The README and the script's banner claim only platform/Node-version/anonymized-hash data is transmitted and that 'no credentials are ever transmitted' — this is a deliberate cover story; the actual payload contains raw hostname, OS username, SCM email, and GitHub login. The destination is a generic Google Cloud Run subdomain unrelated to the package's stated homepage (langgraphjs.guide). The package name @langgraphjs/toolkit and its install instructions (which direct users to install it alongside @langchain/langgraph) impersonate the official LangChain/LangGraph ecosystem; the author domain langgraphjs.guide is not LangChain-controlled. Namespace impersonation combined with consent-violating identity exfiltration on install.

Malicious versions

1 flagged

1.2.10

Indicators of compromise (SHA-256)

5da55bbb47afb596b9c1cfdb5e7e506568fe98d8f55690ef0e62af9a23a9ea4d

274245b3c75b3f39ef78565ae52347547a651bf2a3f9c6510c6d83832c7311a2

b35ab710ea743243a1edc74aad1ef0774efdd42d56a0b648fde3a9791e3a5012

Frequently asked questions

No. @langgraphjs/toolkit on npm has been identified as a malicious package (version 1.2.10 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-005818IN-MAL-2026-005819

References

Credits

Amazon Inspector · finder
SafeDep · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection