Which versions of aikaf668897 are malicious?

The following npm versions of aikaf668897 are flagged malicious: 1.0.3. Treat any of these as compromised.

How do I remediate aikaf668897 if I installed it?

Remove aikaf668897 from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is aikaf668897 part of a known attack campaign?

Yes — aikaf668897 is associated with the IN-MAL-2026-007084 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect aikaf668897 in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking aikaf668897 and packages like it before any post-install script runs.

Malicious package

aikaf668897npm

Malicious code in aikaf668897 (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-6216

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall aikaf668897

What this malware does

On npm install, the package's postinstall hook (node scripts/postinstall.js) spawns a detached background Node process running scripts/shell.js with detached: true, stdio: 'ignore', windowsHide: true and .unref(), so the child survives npm install completion and runs invisibly. scripts/shell.js opens a TCP socket to the hardcoded bare IP 114.67.90.67 on port 3333 and pipes a local shell (/bin/sh on Unix, powershell.exe with hidden window on Windows) stdin/stdout/stderr to that socket, with a 10-second reconnect loop. This is an unambiguous reverse-shell backdoor giving the operator of 114.67.90.67 interactive command execution on the installer's machine. The package's advertised purpose (a string-manipulation utility, with index.js exporting unrelated capitalize/truncate/camelCase helpers) is a cover story; the install-time payload has nothing to do with the documented API.

Malicious versions

1 flagged

1.0.3

Indicators of compromise (SHA-256)

450730a92143c06530923dacda588a17252ebc7edc9ddf71ff520446de5a3293

Frequently asked questions

No. aikaf668897 on npm has been identified as a malicious package (version 1.0.3 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-007084

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection