Which versions of @nstrlabs/utils are malicious?

The following npm versions of @nstrlabs/utils are flagged malicious: 99.0.0, 99.0.1. Treat any of these as compromised.

How do I remediate @nstrlabs/utils if I installed it?

Remove @nstrlabs/utils from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is @nstrlabs/utils part of a known attack campaign?

Yes — @nstrlabs/utils is associated with the IN-MAL-2026-005102, IN-MAL-2026-005101, IN-MAL-2026-005142, IN-MAL-2026-005143 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect @nstrlabs/utils in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking @nstrlabs/utils and packages like it before any post-install script runs.

Malicious package

@nstrlabs/utilsnpm

Malicious code in @nstrlabs/utils (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5423

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall @nstrlabs/utils

What this malware does

On npm install, the package's preinstall script (node index.js || true) executes automatically and collects host identifiers from the installer's machine — os.hostname(), os.userInfo().username, __dirname, and process.cwd() — then exfiltrates them through two channels. First, the JSON payload is POSTed to a hardcoded bare IP http://172.201.213.59:9090/c. Second, the data is hex-encoded into a subdomain and resolved via DNS against *.d8jbmnsqcfu78dfs8vdg34ohqhirb4pbg.oast.live, an Interactsh out-of-band beacon. The || true suffix swallows any error so the install always succeeds silently. Although the package metadata describes itself as 'security research', every installer is harmed: host reconnaissance fires unconditionally on install with no opt-out and no disclosure.

Malicious versions

2 flagged

99.0.099.0.1

Indicators of compromise (SHA-256)

3dc7b28e2c70c166b75e806b589dac5e2aae3dffe338f5b9f2707692dd1b8c17

84a4bcae5f6897112304920f60d6cbb6cbe880104db4ef1ff69be17fbb69b8ac

36d8d7c327560bb7a4c08d906db240a2dc146e20f828d9dfc5ab79497b155355

99c9771eea6e1ac9070aeee2d1c4a2264bfd92586e2af228932ca88f5fee0b0f

Frequently asked questions

No. @nstrlabs/utils on npm has been identified as a malicious package (versions 99.0.0, 99.0.1 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-005102IN-MAL-2026-005101IN-MAL-2026-005142IN-MAL-2026-005143

References

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection