Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
Malicious package

babel-preset-lib-clientnpm

Malicious code in babel-preset-lib-client (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-10214
Immediate action
Remove the package, then rotate any secrets the build/runtime could reach.
npm uninstall babel-preset-lib-client

What this malware does

index.js, the package main, runs a load-time IIFE that collects OS platform and architecture, hostname, username, private and public IP (via https://api.ipify.org), current working directory, the full output of printenv (base64-encoded), and the base64-encoded output of tree../, then POSTs the aggregated payload to a hardcoded Discord webhook at https://discord.com/api/webhooks/1524917003394089029/. The package name mimics the babel-preset naming convention but the code implements no Babel functionality; author, description, and keywords are empty. Any consumer that installs and requires this package leaks its full process environment (typically including NPM_TOKEN, AWS_*, GITHUB_TOKEN, and other CI/developer secrets) plus a listing of the parent directory to the attacker-controlled Discord channel.

Malicious versions

3 flagged
4.9.94.9.104.9.11

Indicators of compromise (SHA-256)

0d431b31c9452f93b0f7bfff6f4c64c494f94f91dbbbe9597e10e4d85ea92f63
4274de0136aa69f8b0f4eba03412c7809a1b8c2446bb3ed7f6de1333475aa4c4
c8b10075493fc1ec7728f152149bae784dc2ad5e03872ddac4d345abb2c9bd19

Detection & response playbook

Credential / info stealer
  1. Find it

    Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for babel-preset-lib-client (3 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging babel-preset-lib-client across your stack and pipelines.

  2. If you installed it — respond

    babel-preset-lib-client is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.

  3. Did it already run?

    If babel-preset-lib-client was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

  4. How O3 protects you

    O3 blocks babel-preset-lib-client before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. babel-preset-lib-client on npm has been identified as a malicious package (versions 4.9.9, 4.9.10, 4.9.11 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-009783IN-MAL-2026-009784IN-MAL-2026-009782

References

Credits

  • Amazon Inspector · finder

Detect & block this

O3 blocks babel-preset-lib-client-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.