Which versions of apple-mycelium-fix are malicious?

The following npm versions of apple-mycelium-fix are flagged malicious: 1.2.1778333524, 1.8.1778336376. Treat any of these as compromised.

How do I remediate apple-mycelium-fix if I installed it?

Remove apple-mycelium-fix from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is apple-mycelium-fix part of a known attack campaign?

Yes — apple-mycelium-fix is associated with the GHSA-fjcr-w74v-m2qw campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect apple-mycelium-fix in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking apple-mycelium-fix and packages like it before any post-install script runs.

Malicious package

apple-mycelium-fixnpm

Malicious code in apple-mycelium-fix (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-3416

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall apple-mycelium-fix

What this malware does

The package apple-mycelium-fix was found to contain malicious code.

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

The OpenSSF Package Analysis project identified 'apple-mycelium-fix' @ 1.2.1778333524 (npm) as malicious.

It is considered malicious because:

The package executes one or more commands associated with malicious behavior.

Malicious versions

2 flagged

1.2.17783335241.8.1778336376

Indicators of compromise (SHA-256)

a64eb5f60a8d57bd23e8b18ceeea76083900d2400329d2e68d47e5264e6d76ab

fddb6b83974fb63a902bbe0142a427575ff562f4d741ac48ea35fbb9d195b105

e69a2534c8bb0842243808b87451a399a8fc121ee56e755a33627f21035f8e33

b50cf3ede15485f8c375bb271e52389f7688f6fff125ad74596d8c58eb820217

Frequently asked questions

No. apple-mycelium-fix on npm has been identified as a malicious package (versions 1.2.1778333524, 1.8.1778336376 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

GHSA-fjcr-w74v-m2qw

References

github.com

Credits

Amazon Inspector · finder
OpenSSF: Package Analysis · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection