Which versions of auth0-templates-scripts are malicious?

The following npm versions of auth0-templates-scripts are flagged malicious: 80.0.1, 80.0.4. Treat any of these as compromised.

How do I remediate auth0-templates-scripts if I installed it?

Remove auth0-templates-scripts from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is auth0-templates-scripts part of a known attack campaign?

Yes — auth0-templates-scripts is associated with the IN-MAL-2026-003756, IN-MAL-2026-003749, IN-MAL-2026-003757, IN-MAL-2026-003748, GHSA-748c-3f9q-294w campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect auth0-templates-scripts in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking auth0-templates-scripts and packages like it before any post-install script runs.

Malicious package

auth0-templates-scriptsnpm

Malicious code in auth0-templates-scripts (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-4489

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall auth0-templates-scripts

What this malware does

Package name 'auth0-templates-scripts' impersonates the Auth0 (Okta) brand without affiliation. The author field is the placeholder 'OpenSource Contributor'. The main entry (index.js lines 2-6) silently require()s a co-named dependency auth0-templates-scripts-utils (^1.0.5) inside a try/catch that swallows all errors, then prints an 'integration framework initialized' message. This is a loader-shim pattern: the visible package is nearly empty while the auto-installed sibling — which is pulled into the installer's dependency tree on npm install and loaded on every require('auth0-templates-scripts') — carries the actual code, hidden from inspection of this tarball. The combination of brand-name impersonation, placeholder author metadata, and a silent error-swallowing shim that delegates execution to a co-named transitive is the canonical namespace-abuse dropper shape.

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Malicious versions

2 flagged

80.0.180.0.4

Indicators of compromise (SHA-256)

1bc0f40b778be080e2a14dd0097ab772565cc570f5fd471f10e883f259be2db6

83d0e8b6d3b7847b1409fb341e749cfd75fe4b0445e0f11a5042817dde29287b

9ae04c43a548d234c87b09405f4c7b012454f5352b1351318d1a8849e3cad8c0

be512846c47dcba2066ef022d0ffce73f2b74b9ad04268041f438ec920cc57b4

9583cf803e4e0cce22f8387e99203a0f50f2353646209a045e71c96b322d738f

Frequently asked questions

No. auth0-templates-scripts on npm has been identified as a malicious package (versions 80.0.1, 80.0.4 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-003756IN-MAL-2026-003749IN-MAL-2026-003757IN-MAL-2026-003748GHSA-748c-3f9q-294w

References

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection