Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
Malicious package

analysis-chartnpm

Malicious code in analysis-chart (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-6299
Immediate action
Remove the package, then rotate any secrets the build/runtime could reach.
npm uninstall analysis-chart

What this malware does

The package's postinstall hook (install-hook.js, invoked via package.json scripts.postinstall) fetches an opaque binary 'payload.bin' from https://github.com/Dimitrijenco/Sticky_note/releases/download/v6/payload.bin — a third-party GitHub release on an account unrelated to the package's claimed author. The downloaded bytes are XOR-decrypted with key 0x42, then loaded into the installer's process: kernel32.dll is loaded via koffi, RWX memory is allocated with VirtualAlloc, the decrypted PE is copied via RtlMoveMemory, VirtualProtect is applied, and CreateThread is started at the parsed PE entry point. This is in-memory shellcode/PE injection on Windows developer machines, executing arbitrary attacker-controlled native code on npm install. After launching the payload, install-hook.js writes a cleanup.js that, after a 3-second delay, runs cmd /c rmdir /s /q on the package folder, removes 'analysis-chart' from the host project's package.json, unlinks install-hook.js, and self-deletes — anti-forensic evidence removal so the developer cannot inspect what ran. The package's index.js exposes a plausible-looking chart statistics API (stats, outliers, trend, correlation, movingAverage, analyze) that is functionally unrelated to install-hook.js and serves as decoy cover; author metadata 'Elena Vogt [email protected]' and the referenced repo appear fabricated.

Malicious versions

21 flagged
2.0.82.0.92.0.102.0.112.0.122.0.132.0.142.0.152.0.162.0.172.0.182.0.192.0.202.0.212.0.222.0.232.0.242.0.252.0.262.0.272.0.28

Indicators of compromise (SHA-256)

2864a2449901972e02d0001e4dc85625e22fe7fbb7059c2b47ca68e5f9e002af
3a015269ceb39b2c14d5a2dcdd7d00221643abe796fe89ca19af031f2cce8589
90b47ebcff30f2bc7800369c73519aef78a993951abb408d0417ac1a2d59cca4
a1ab4349bcc1e8f4434817d242b136f6e6050d4acb234aa833d81ffd74942066
abe7471c7d6dedda417f026350625e6c59fc1f9142e8581d2ddbf9271aa983f3
c69d8529346ea8fdadddfe1bf7929b90d9e9fa2a05c341d009bc299d22359f28
cead6a4f96bc1f11c12d7ae744f05efa942b7e01510f1140d03091d1fd9ac656
69e73f44c410c45e3622ee2856bb39f8b215a62ed14e3f78e4bfd59d1c7f2636
80b28a3207077cdcf31f46855f65b9a34b5e184621a48105a68d89626e2a2bfb
a1df4a7199135c43ea62dee912d7817478433ca12b096c6e4338e5a1c7edf5fc
de20339f52b63e70ca5a9ca47d746377b1e4c3d32f1299979da6a35e6d23e4b9
ffa5d2e2f559fe28da7f21aeaa3705d96dac8a7f196f38adfa2b994ad3280030
509b1ccb496a19e767ed8440a47063209afc32476929d37e4381db6f4e4ed98d
6e159b8395f43bfb9b920b41eb74fe91195f38eecd111c86770af10452eb4cfc
2712de0c6aff4ac7bfb9768bef35aba34a89bfd3c2d02cf553534da36c3c188b
5b82aa5cd48a20ff8f3ff41cbc9bf0d4e28e4f66eab928340851fa56027aae32
94911e79e5edbf1c5261beb41cf73f21abd36c826a17d6f36e068cfd339f620d
af12c3ec91e4c40913086c5ffa64273b05123b20f45a772ce137d45dd2ecad43
e2b0499237239c80cb1a3b4e34e11e17b4d8459f8294d55c068657f3082244d8
edc5cdd3aa1b9005c0ab92628b519eac1d39354504816949d8a7984758fb37b0
ee6e0c25c079ec0d01359f8f6104bf3ddb59921a39dae21fddd259d9f752e36f

Detection & response playbook

Destructive / sabotage

  1. Find it

    Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for analysis-chart (21 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging analysis-chart across your stack and pipelines.

  2. If you installed it — respond

    analysis-chart carries a destructive/sabotage payload. Remove it immediately, restore any affected data from clean backups, and verify integrity of build outputs that may have been tampered with.

  3. Did it already run?

    If analysis-chart was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

  4. How O3 protects you

    O3 blocks analysis-chart before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. analysis-chart on npm has been identified as a malicious package (versions 2.0.8, 2.0.9, 2.0.10, 2.0.11, 2.0.12, 2.0.13, 2.0.14, 2.0.15, and 13 more flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-007239IN-MAL-2026-007246IN-MAL-2026-007242IN-MAL-2026-007240IN-MAL-2026-007238IN-MAL-2026-007237IN-MAL-2026-007245IN-MAL-2026-007243IN-MAL-2026-007235IN-MAL-2026-007241IN-MAL-2026-007244IN-MAL-2026-007236IN-MAL-2026-007349IN-MAL-2026-007343IN-MAL-2026-007345IN-MAL-2026-007347IN-MAL-2026-007342IN-MAL-2026-007344IN-MAL-2026-007346IN-MAL-2026-007350IN-MAL-2026-007348

References

Credits

  • Amazon Inspector · finder

Detect & block this

O3 blocks analysis-chart-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the malicious outbound activity and severs the channel.

Malware detection Runtime egress monitoring