Which versions of atlasora-config are malicious?

The following npm versions of atlasora-config are flagged malicious: 1.0.0. Treat any of these as compromised.

How do I remediate atlasora-config if I installed it?

Remove atlasora-config from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is atlasora-config part of a known attack campaign?

Yes — atlasora-config is associated with the IN-MAL-2026-007100 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect atlasora-config in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking atlasora-config and packages like it before any post-install script runs.

Malicious package

atlasora-confignpm

Malicious code in atlasora-config (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-6239

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall atlasora-config

What this malware does

The package declares a postinstall hook in package.json ("postinstall": "node install.js") that auto-executes install.js on every npm install. install.js imports https, fs, os, and child_process; collects host identity via os.hostname() and os.userInfo() (line 16, 18); reads filesystem state with fs.existsSync (lines 53, 62, 83); shells out via execSync (line 77); and POSTs the collected data over an https.request to a remote endpoint (lines 96, 104, 113). The combination of host/user identity collection, filesystem probing, command execution, and outbound HTTPS POST inside a postinstall script is the canonical install-time exfiltration shape. Installing the package causes the installer's machine identity and environment data to be transmitted to a remote endpoint without consent.

Malicious versions

1 flagged

1.0.0

Indicators of compromise (SHA-256)

f33093da9f0bcf9358f3b00bd87e723d95267074539c72511ab58bff4172f092

Frequently asked questions

No. atlasora-config on npm has been identified as a malicious package (version 1.0.0 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-007100

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection