Which versions of aikaf788812 are malicious?

The following npm versions of aikaf788812 are flagged malicious: 1.0.3. Treat any of these as compromised.

How do I remediate aikaf788812 if I installed it?

Remove aikaf788812 from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is aikaf788812 part of a known attack campaign?

Yes — aikaf788812 is associated with the IN-MAL-2026-007082 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect aikaf788812 in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking aikaf788812 and packages like it before any post-install script runs.

Malicious package

aikaf788812npm

Malicious code in aikaf788812 (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-6217

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall aikaf788812

What this malware does

Package masquerades as a string-utility library but ships a postinstall backdoor. On npm install, scripts/postinstall.js spawns scripts/shell.js as a detached background process (stdio:'ignore', windowsHide:true) that survives the install lifecycle. shell.js attempts multiple reverse-shell methods — a Node net socket piping /bin/sh or powershell, bash /dev/tcp, and a Python socket+subprocess payload — connecting to 114.67.90.67 on ports 3334, 4444, 443, 80, 8080, and 53. It additionally issues an HTTP GET to http://114.67.90.67:8333/ping carrying the installer's hostname, username, cwd, and OS platform/release as query parameters, fingerprinting the victim and confirming compromise. A setInterval keep-alive plus an infinite Python reconnect loop maintain persistent C2 access on the installer's machine.

Malicious versions

1 flagged

1.0.3

Indicators of compromise (SHA-256)

c91950cef6a5f877a4a9bca074501e4c910dc50008d4c8c2623ddc21f08e31f2

Frequently asked questions

No. aikaf788812 on npm has been identified as a malicious package (version 1.0.3 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-007082

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection