Which versions of ai-chat-helper are malicious?

The following npm versions of ai-chat-helper are flagged malicious: 1.0.1, 1.0.2, 1.0.9. Treat any of these as compromised.

How do I remediate ai-chat-helper if I installed it?

Remove ai-chat-helper from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is ai-chat-helper part of a known attack campaign?

Yes — ai-chat-helper is associated with the IN-MAL-2026-006951, IN-MAL-2026-006952, IN-MAL-2026-006953 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect ai-chat-helper in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking ai-chat-helper and packages like it before any post-install script runs.

Malicious package

ai-chat-helpernpm

Malicious code in ai-chat-helper (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-6086

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall ai-chat-helper

What this malware does

collect.js performs system reconnaissance and exfiltration to a hardcoded attacker-controlled host. The script imports child_process, os, fs, http, and https; reads os.hostname(), os.homedir(), and inspects local filesystem paths via fs.existsSync; and POSTs the collected data to http://aab.sportsontheweb.net (line 13/line 366). The destination is an unrelated third-party domain over cleartext HTTP, with no relationship to any documented chat-helper functionality. This is the canonical credential/host-info beacon shape: child_process for command execution, os for host identity, fs for local file enumeration, and a hardcoded HTTP POST to an attacker domain.

Malicious versions

3 flagged

1.0.11.0.21.0.9

Indicators of compromise (SHA-256)

2a7654ff516176e3c9277ea8711149b1d55851165aa430307db43ebfdb578a3f

39a12d35a8713a8f63eaf342901214a7f53fa396b9ee8218d246e5e0db7b6318

6da659c2083db3bfaa683c19c572521b78359bbfb266ed9259192e19fe47e02f

Frequently asked questions

No. ai-chat-helper on npm has been identified as a malicious package (versions 1.0.1, 1.0.2, 1.0.9 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-006951IN-MAL-2026-006952IN-MAL-2026-006953

References

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection