Which versions of @nstrlabs/ixel are malicious?

The following npm versions of @nstrlabs/ixel are flagged malicious: 99.0.0, 99.0.1. Treat any of these as compromised.

How do I remediate @nstrlabs/ixel if I installed it?

Remove @nstrlabs/ixel from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is @nstrlabs/ixel part of a known attack campaign?

Yes — @nstrlabs/ixel is associated with the IN-MAL-2026-005094, IN-MAL-2026-005093, IN-MAL-2026-005149, IN-MAL-2026-005148 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect @nstrlabs/ixel in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking @nstrlabs/ixel and packages like it before any post-install script runs.

Malicious package

@nstrlabs/ixelnpm

Malicious code in @nstrlabs/ixel (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5420

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall @nstrlabs/ixel

What this malware does

On npm install, the package runs node index.js via a preinstall lifecycle hook (declared as "preinstall": "node index.js || true" so failures are silenced). index.js collects os.hostname(), os.userInfo().username, __dirname, and process.cwd() and exfiltrates them two ways: (1) a hex-encoded subdomain DNS query against *.d8jbmnsqcfu78dfs8vdg34ohqhirb4pbg.oast.live (interactsh-style out-of-band beacon), and (2) an HTTP POST of a JSON blob to the hardcoded bare IP http://172.201.213.59:9090/c. Errors are swallowed via || true, try/catch, and a no-op HTTP error handler so the install appears to succeed. The package is published under the @nstrlabs scope at version 99.0.0 with description 'security research' — the canonical dependency-confusion recon shape, where a high version is published to a public registry to override an internal-scope package and beacon any host that resolves it. The package has no legitimate functionality; its only effect on install is the host-metadata beacon.

Malicious versions

2 flagged

99.0.099.0.1

Indicators of compromise (SHA-256)

0d9233446ae1b81338630ea6d9ef3ca2e08db8b46a737baf87970cedc00212bb

30f1436c6da35578a503200c102818817b2bb6ca8cfc863d1191b2e0a0aa08a7

0e63be698b01a3e68a3eaffe480367135ca4cbc6a14738cd2a6ab91dff475a7a

64b10f7a8ca25ac33a6d1e94038d1dbfd68d113d9ab7d7a428d97417b3409c7d

Frequently asked questions

No. @nstrlabs/ixel on npm has been identified as a malicious package (versions 99.0.0, 99.0.1 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-005094IN-MAL-2026-005093IN-MAL-2026-005149IN-MAL-2026-005148

References

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection