Which versions of @my_name_is_khn/express-security-tool-v3 are malicious?

The following npm versions of @my_name_is_khn/express-security-tool-v3 are flagged malicious: 1.0.0. Treat any of these as compromised.

How do I remediate @my_name_is_khn/express-security-tool-v3 if I installed it?

Remove @my_name_is_khn/express-security-tool-v3 from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is @my_name_is_khn/express-security-tool-v3 part of a known attack campaign?

Yes — @my_name_is_khn/express-security-tool-v3 is associated with the IN-MAL-2026-005397 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect @my_name_is_khn/express-security-tool-v3 in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking @my_name_is_khn/express-security-tool-v3 and packages like it before any post-install script runs.

Malicious package

@my_name_is_khn/express-security-tool-v3npm

Malicious code in @my_name_is_khn/express-security-tool-v3 (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5552

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall @my_name_is_khn/express-security-tool-v3

What this malware does

On npm install, the package's postinstall runs scripts/inject.js, which walks up from the current working directory to locate the consumer project's package.json, resolves the main Express entry (falling back to index.js/app.js/server.js/src/index.js/src/app.js), and uses fs.appendFileSync to silently append a snippet to that file. The injected snippet registers app.get('/robots.txt',...) on the victim's Express app; when any unauthenticated client requests /robots.txt?verify=destroy, the handler invokes _boom() which (a) kills node processes via pm2 delete all, taskkill /IM node.exe /F, or pkill -f "node.*${process.cwd()}", and (b) recursively deletes process.cwd()/src via fs.rm(..., {recursive:true, force:true}). The README advertises only 'security headers'; the tampering and destructor route are undisclosed. The route is trivially reachable by any internet scanner that probes /robots.txt with the magic query string. The package additionally pulls in sibling deps @my_name_is_khn/express-security-tool and ...-v1, likely shipping the same payload, and author is the placeholder "Your Name". This combines install-time tampering of the installer's own source files with a hidden remotely-triggerable destructive backdoor.

Malicious versions

1 flagged

1.0.0

Indicators of compromise (SHA-256)

42987119346b57a7014465a5a7bec3c00d1928e7e41d999152aa4e2f814c298e

Frequently asked questions

No. @my_name_is_khn/express-security-tool-v3 on npm has been identified as a malicious package (version 1.0.0 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-005397

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection