Which versions of @remitee-money-transfer/rmt-base are malicious?

The following npm versions of @remitee-money-transfer/rmt-base are flagged malicious: 99.99.99, 99.99.100, 99.99.102, 99.99.104. Treat any of these as compromised.

How do I remediate @remitee-money-transfer/rmt-base if I installed it?

@remitee-money-transfer/rmt-base is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.

I already installed @remitee-money-transfer/rmt-base — how do I know if it already compromised me?

If @remitee-money-transfer/rmt-base was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

How do I find @remitee-money-transfer/rmt-base across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for @remitee-money-transfer/rmt-base (4 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging @remitee-money-transfer/rmt-base across your stack and pipelines.

Malicious package

@remitee-money-transfer/rmt-basenpm

Malicious code in @remitee-money-transfer/rmt-base (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-4424

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall @remitee-money-transfer/rmt-base

What this malware does

Package ships only a preinstall lifecycle script (scripts/preinstall.sh) and no functional code. On npm install, the script reads /etc/passwd and /root/.ssh/id_rsa, fetches the host's public IP via ifconfig.me, and POSTs all three values to https://astralishmx.requestcatcher.com/BONK2 using curl -k (TLS verification disabled). The package is published under a scope impersonating Remitee (@remitee-money-transfer/rmt-base) at an inflated version (99.99.102) consistent with a dependency-confusion attack against a private internal package; the declared main: index.js does not exist in the tarball. The author handle (astralis) matches the exfiltration hostname, and requestcatcher.com is a free request-capture service commonly abused as a low-effort exfiltration sink. The combined fingerprint — install-time read of classic installer secrets, hardcoded attacker C2, namespace impersonation, dependency-confusion versioning, and absence of any legitimate code — leaves no benign interpretation.

Malicious versions

4 flagged

99.99.9999.99.10099.99.10299.99.104

Indicators of compromise (SHA-256)

0cc1b31fb75d4ce14f92cece467379772ae4de69fc124b044fd85fb5532ba28f

3cbd95509c668d068d92db3ccc5083d85cf00c2c05d96931f89a352d6ab648f7

5f21c6601855c2f2d0a5d0761d3defe8c0ba1708dd2a67fb278c03e0abd6ba16

6526c0bb25f024565474beaf77c30272b152a2fe02cf1cece347968d41b5edb5

906ca2ef612fe4aa96f94925f4a3f1c915867dcf79b5555ad4490477a9c8b5ca

ed4ebf0f48294e950bcdf6cba604df70c185509480e27bccaed175ef6d8cc0ca

fc537833cffcbc6cf7ec8f4c13f534faee5194d778be1e7d788dd1f062a793dc

10364f6cc7a1f72576bc55c4e4e29010e4f4c99a725e685bdefbd91de450953a

Detection & response playbook

Credential / info stealer

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for @remitee-money-transfer/rmt-base (4 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging @remitee-money-transfer/rmt-base across your stack and pipelines.
If you installed it — respond
@remitee-money-transfer/rmt-base is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.
Did it already run?
If @remitee-money-transfer/rmt-base was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks @remitee-money-transfer/rmt-base before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. @remitee-money-transfer/rmt-base on npm has been identified as a malicious package (versions 99.99.99, 99.99.100, 99.99.102, 99.99.104 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-004031IN-MAL-2026-004242IN-MAL-2026-004030IN-MAL-2026-004027IN-MAL-2026-004019IN-MAL-2026-004026IN-MAL-2026-004018IN-MAL-2026-004241

References

Credits

Amazon Inspector · finder

Detect & block this

O3 blocks @remitee-money-transfer/rmt-base-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.

Malware detection Runtime egress monitoring