Which versions of atlasora-api are malicious?

The following npm versions of atlasora-api are flagged malicious: 1.0.0. Treat any of these as compromised.

How do I remediate atlasora-api if I installed it?

Remove atlasora-api from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is atlasora-api part of a known attack campaign?

Yes — atlasora-api is associated with the IN-MAL-2026-007098 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect atlasora-api in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking atlasora-api and packages like it before any post-install script runs.

Malicious package

atlasora-apinpm

Malicious code in atlasora-api (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-6237

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall atlasora-api

What this malware does

Package declares a postinstall hook ("postinstall": "node install.js") that runs install.js automatically on npm install. install.js imports https, fs, os, and child_process and collects host identifiers including os.hostname() and os.userInfo(), uses execSync for additional system enumeration, probes filesystem paths via fs.existsSync, and POSTs the collected data over an outbound https.request. This is the canonical install-time host-reconnaissance / exfiltration pattern: the package's only effect on installation is to harvest system identity and ship it off-host. There is no documented library functionality justifying the network beacon at install time.

Malicious versions

1 flagged

1.0.0

Indicators of compromise (SHA-256)

9776899942c749b493911ca4e33c3b4967308a816e167bd3ee90c95800632f92

Frequently asked questions

No. atlasora-api on npm has been identified as a malicious package (version 1.0.0 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-007098

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection