Which versions of @onum-releases/ixel are malicious?

The following npm versions of @onum-releases/ixel are flagged malicious: 1.0.1, 1.0.2, 1.0.3. Treat any of these as compromised.

How do I remediate @onum-releases/ixel if I installed it?

Remove @onum-releases/ixel from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is @onum-releases/ixel part of a known attack campaign?

Yes — @onum-releases/ixel is associated with the IN-MAL-2026-006995, IN-MAL-2026-007003, IN-MAL-2026-006994 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect @onum-releases/ixel in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking @onum-releases/ixel and packages like it before any post-install script runs.

Malicious package

@onum-releases/ixelnpm

Malicious code in @onum-releases/ixel (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-6124

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall @onum-releases/ixel

What this malware does

On import, index.js reads os.hostname() and issues an HTTPS GET to ixel.<hostname>.200majoeu01dk02xnjdajro1isojc90y.oastify.com/ixel (oastify.com is Burp Suite's Collaborator out-of-band interaction domain). The hostname is embedded as a DNS subdomain label, so the DNS resolution alone leaks the installer's hostname to an attacker-controlled nameserver regardless of whether the HTTP request succeeds. Any developer machine or CI runner that require()s this package — directly or transitively — sends a host identifier to the operator of the configured Collaborator instance. The package.json description ("Security PoC placeholder - benign, no runtime payload") contradicts the shipped code, and the @onum-releases scope appears designed to resemble a legitimate vendor releases namespace.

Malicious versions

3 flagged

1.0.11.0.21.0.3

Indicators of compromise (SHA-256)

03f19785a8c7b4908b1bdab949073500ac828a2ccc3d34562cac16b4fce4a45b

0405bead6aa6dd628190974d5555a124113b2fc630e8a90f11be30a238af88d2

188c65369497c00333fc54291c970071044f3237a255387903a707cfd2711599

Frequently asked questions

No. @onum-releases/ixel on npm has been identified as a malicious package (versions 1.0.1, 1.0.2, 1.0.3 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-006995IN-MAL-2026-007003IN-MAL-2026-006994

References

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection