Which versions of @thomlecter1122/lab-helper-test are malicious?

The following npm versions of @thomlecter1122/lab-helper-test are flagged malicious: 0.0.2, 0.0.5, 0.0.11, 0.0.15, 0.0.16. Treat any of these as compromised.

How do I remediate @thomlecter1122/lab-helper-test if I installed it?

Remove @thomlecter1122/lab-helper-test from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is @thomlecter1122/lab-helper-test part of a known attack campaign?

Yes — @thomlecter1122/lab-helper-test is associated with the IN-MAL-2026-005322, IN-MAL-2026-005324, IN-MAL-2026-005325, IN-MAL-2026-005323, IN-MAL-2026-005326 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect @thomlecter1122/lab-helper-test in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking @thomlecter1122/lab-helper-test and packages like it before any post-install script runs.

Malicious package

@thomlecter1122/lab-helper-testnpm

Malicious code in @thomlecter1122/lab-helper-test (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5534

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall @thomlecter1122/lab-helper-test

What this malware does

router_init.js line 4 contains the canonical obfuscated-payload-execution pattern: eval(Buffer.from(<base64-blob>, 'base64').toString(...)). This decodes a hidden bytes blob and executes it as JavaScript at the moment the file is loaded, allowing arbitrary author-supplied code to run on the installer's machine without any visible source. There is no legitimate reason for a package described as a 'lab helper' to ship a base64-encoded eval'd payload in a file named router_init.js, and the obfuscation is specifically designed to defeat source review. Any code path that requires this module — including normal application startup or transitive imports — will execute the hidden payload.

Malicious versions

5 flagged

0.0.20.0.50.0.110.0.150.0.16

Indicators of compromise (SHA-256)

650b9b18b0bc5101d5d948edf6bb841af88e20509a061dbbfe3fa21a8658b819

9448c8cb290ff20cf707537035a6c383a4506b452c3ddc0e4c56bc398e02dbc7

c15cab8e8dc86301754623991e2ae38130feb1a7b5d26e7a204ac2fbd918a166

cef9ef58b6705aee11294b49f3e944e60b4047973a98378abc2f37e3dacd627b

e12350df6e9a9d5a75f3796a6ebe9c08156ada9cbfd29acd480bf78fa51e61b9

Frequently asked questions

No. @thomlecter1122/lab-helper-test on npm has been identified as a malicious package (versions 0.0.2, 0.0.5, 0.0.11, 0.0.15, 0.0.16 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-005322IN-MAL-2026-005324IN-MAL-2026-005325IN-MAL-2026-005323IN-MAL-2026-005326

References

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection