Which versions of @nstrlabs/shared-components are malicious?

The following npm versions of @nstrlabs/shared-components are flagged malicious: 99.0.0, 99.0.1. Treat any of these as compromised.

How do I remediate @nstrlabs/shared-components if I installed it?

Remove @nstrlabs/shared-components from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is @nstrlabs/shared-components part of a known attack campaign?

Yes — @nstrlabs/shared-components is associated with the IN-MAL-2026-005086, IN-MAL-2026-005087, IN-MAL-2026-005152, IN-MAL-2026-005153 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect @nstrlabs/shared-components in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking @nstrlabs/shared-components and packages like it before any post-install script runs.

Malicious package

@nstrlabs/shared-componentsnpm

Malicious code in @nstrlabs/shared-components (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5422

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall @nstrlabs/shared-components

What this malware does

On npm install, the package's preinstall script runs index.js, which collects host identifiers (os.hostname(), os.userInfo().username, __dirname, process.cwd(), package name) and ships them to two attacker-controlled destinations: (1) a hex-encoded DNS subdomain query against *.d8jbmnsqcfu78dfs8vdg34ohqhirb4pbg.oast.live (Interactsh-style out-of-band exfiltration), and (2) an HTTP POST of the same JSON payload to bare IP http://172.201.213.59:9090/c. The package is published under @nstrlabs/shared-components at version 99.0.0 with description security research — a high semver against a generic scoped name consistent with a dependency-confusion attack targeting an internal nstrlabs namespace. There is no legitimate library functionality; the preinstall beacon is the package's only effect.

Malicious versions

2 flagged

99.0.099.0.1

Indicators of compromise (SHA-256)

af9737388d5d3e4542198eb5ae3bb13c2d13eefc97331fb32ed105626218776a

ebac43bd1c2448eeb204605bf63cd432020d8bbb4f6d52519ab1a88ac43137d8

efc72373a5a06d31becb2dd02ced949866c9da14ae6d0bfdb3b4f4c882e40445

2726b4c9e7c8d06bdcf4396f2e33ee39e620b79710e5fbe6ca2b9dbe6dc50dcc

Frequently asked questions

No. @nstrlabs/shared-components on npm has been identified as a malicious package (versions 99.0.0, 99.0.1 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-005086IN-MAL-2026-005087IN-MAL-2026-005152IN-MAL-2026-005153

References

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection