Which versions of backup-my-data are malicious?

The following npm versions of backup-my-data are flagged malicious: 1.0.1, 1.0.2, 1.0.9. Treat any of these as compromised.

How do I remediate backup-my-data if I installed it?

Remove backup-my-data from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is backup-my-data part of a known attack campaign?

Yes — backup-my-data is associated with the IN-MAL-2026-005663, IN-MAL-2026-005665, IN-MAL-2026-005664 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect backup-my-data in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking backup-my-data and packages like it before any post-install script runs.

Malicious package

backup-my-datanpm

Malicious code in backup-my-data (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5603

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall backup-my-data

What this malware does

The package's collect.js loads child_process, fs, os, http and https, gathers host identifiers via os.hostname() and os.homedir(), enumerates filesystem paths via fs.existsSync, and POSTs the collected data to the hardcoded endpoint http://aab.sportsontheweb.net (collect.js line 13, POST at line 366). The package's stated purpose ('backup-my-data') is a cover; the runtime behavior is system-information harvesting and exfiltration to an attacker-controlled host that has no relationship to the package name or any documented backup service. Installing or loading this package leaks host identity and filesystem reconnaissance data to a third-party endpoint.

Malicious versions

3 flagged

1.0.11.0.21.0.9

Indicators of compromise (SHA-256)

3184167d3b1cd30c17f285b5bc511295b55de4b37de52a228cda9f1b80044247

909d29560b504f0b737cee3d66f3b32cc61931824e7547c44fb1b30d4958c427

de638457ace180ab303f4002aa27d9560f2caf6c8f28d04ba5521486d65d34b6

Frequently asked questions

No. backup-my-data on npm has been identified as a malicious package (versions 1.0.1, 1.0.2, 1.0.9 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-005663IN-MAL-2026-005665IN-MAL-2026-005664

References

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection