What does the @resolvx/core malware do?

On `npm install`, scripts/postinstall.js connects to a hardcoded attacker IP (http://213.218.160.189:8080, fallback:80), sends a base64-encoded host fingerprint (hostname, username, platform, arch) as the `q` query parameter, optionally XOR-decrypts the HTTP response with an embedded hex key, writes the decrypted bytes to a hidden file (`.node_ .js`) under /tmp or %LOCALAPPDATA%/Temp, spawns it as a detached Node process with stdio ignored and windowsHide set, calls unref(), and deletes the staging file ~5 seconds later. The script also performs anti-analysis checks (scans `tasklist` for wireshark/fiddler/procmon/x64dbg/ida), introduces a randomized 0.5–2.5s start delay, and skips execu

Which versions of @resolvx/core are malicious?

The following npm versions of @resolvx/core are flagged malicious: 1.0.0, 2.4.1, 2.4.2. Treat any of these as compromised.

How do I remediate @resolvx/core if I installed it?

Remove @resolvx/core from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is @resolvx/core part of a known attack campaign?

Yes — @resolvx/core is associated with the IN-MAL-2026-006651, IN-MAL-2026-006650, IN-MAL-2026-006652, IN-MAL-2026-006649 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect @resolvx/core in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking @resolvx/core and packages like it before any post-install script runs.

Malicious package

@resolvx/corenpm

Malicious code in @resolvx/core (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5798

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall @resolvx/core

What this malware does

On npm install, scripts/postinstall.js connects to a hardcoded attacker IP (http://213.218.160.189:8080, fallback:80), sends a base64-encoded host fingerprint (hostname, username, platform, arch) as the q query parameter, optionally XOR-decrypts the HTTP response with an embedded hex key, writes the decrypted bytes to a hidden file (.node_<rand>.js) under /tmp or %LOCALAPPDATA%/Temp, spawns it as a detached Node process with stdio ignored and windowsHide set, calls unref(), and deletes the staging file ~5 seconds later. The script also performs anti-analysis checks (scans tasklist for wireshark/fiddler/procmon/x64dbg/ida), introduces a randomized 0.5–2.5s start delay, and skips execution when npm_config_dry_run is set to evade dry-run inspection. The combination of plaintext HTTP fetch from a bare IP, payload decryption, hidden filename staging, detached background execution, and anti-analysis gating is a textbook install-time dropper that yields full code execution on the installer's machine and exfiltrates host identification to the attacker for follow-on targeting.

Malicious versions

3 flagged

1.0.02.4.12.4.2

Indicators of compromise (SHA-256)

052d246b7ece22aa1b8e1a365e8c56a7655f5bb9136c946c93491d3f45bad6fc

4639df1cd39850efb8106cbc5ecf3648f386c0cc5cff6c457d90f6a4d569cef0

c4a11c4df96cafcd14b258bbd044e008dc789bf4860930df33ce06bac5b22372

c616f535bbbe417cfb9a1e54c6c98a9a40c2631ce26c3209ab5b43bc05ae4aec

Frequently asked questions

No. @resolvx/core on npm has been identified as a malicious package (versions 1.0.0, 2.4.1, 2.4.2 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-006651IN-MAL-2026-006650IN-MAL-2026-006652IN-MAL-2026-006649

References

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection