Which versions of backoffice-charges-module are malicious?

The following npm versions of backoffice-charges-module are flagged malicious: 1.999.0, 2.999.0, 2.999.1. Treat any of these as compromised.

How do I remediate backoffice-charges-module if I installed it?

Remove backoffice-charges-module from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is backoffice-charges-module part of a known attack campaign?

Yes — backoffice-charges-module is associated with the IN-MAL-2026-006853, IN-MAL-2026-006855, IN-MAL-2026-006854 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect backoffice-charges-module in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking backoffice-charges-module and packages like it before any post-install script runs.

Malicious package

backoffice-charges-modulenpm

Malicious code in backoffice-charges-module (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5929

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall backoffice-charges-module

What this malware does

On every npm install, the preinstall lifecycle script (node index.js > /dev/null 2>&1) silently HTTPS-POSTs a JSON payload to https://avamnrwqo7.rbmock.dev/ containing the package name, a generated execution_id, process.version, process.platform, process.arch, and an ISO timestamp. Output is redirected to /dev/null to hide the network call from the installer. The package has empty description, author 'poc', declares a main.js that is not shipped, and uses an artificially high version number (1.999.0) — classic dependency-confusion/typosquat reconnaissance signals. The beacon allows whoever controls avamnrwqo7.rbmock.dev to enumerate which internal CI runners and developer hosts have resolved this name from the public registry instead of an internal one, identifying targets for follow-up payloads.

Malicious versions

3 flagged

1.999.02.999.02.999.1

Indicators of compromise (SHA-256)

047eb92a0e8bb401b2c205765616c9b4b715ee7cfd33d2e6ef9dc8d645b77f04

291d2f99e4ff8c22838130d0ac21fb5e6343e42af5d47180c9ce74aa28a937d7

94194d04dd4e91ba9949949bf3054514b786ebb4ffcd3a249d7a4c3a99567139

Frequently asked questions

No. backoffice-charges-module on npm has been identified as a malicious package (versions 1.999.0, 2.999.0, 2.999.1 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-006853IN-MAL-2026-006855IN-MAL-2026-006854

References

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection