Which versions of boardflow are malicious?

The following npm versions of boardflow are flagged malicious: 1.1.4, 1.1.5. Treat any of these as compromised.

How do I remediate boardflow if I installed it?

Remove boardflow from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is boardflow part of a known attack campaign?

Yes — boardflow is associated with the IN-MAL-2026-006646, IN-MAL-2026-006647, IN-MAL-2026-006648 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect boardflow in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking boardflow and packages like it before any post-install script runs.

Malicious package

boardflownpm

Malicious code in boardflow (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5799

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall boardflow

What this malware does

[email protected] declares a preinstall lifecycle hook (node install.js) that runs automatically on npm install. install.js is heavily obfuscated with obfuscator.io-style string-array indirection (hex-named identifiers, arithmetic-encoded indices, shuffled string table) hiding the destination URL, output filename, and spawn options. After deobfuscation, it downloads https://www.pooron.org/ice.exe to the OS temp directory under a random name (tester_<hex>.exe), chmods the file to 755, and spawns it detached with stdio=ignore on win32, darwin, and Linux — running an opaque, unverified Windows PE binary on every installer's machine with no hash or signature check. The package.json description (a kanban board library) is a cover story; the package ships no library code matching that purpose. The package also declares a dependency on boardwalk@^1.1.4 (same actor as the author field), pulling another likely-malicious package into the install closure. pooron.org is a non-publisher, non-registry domain unrelated to the advertised purpose, and the obfuscation of the URL and exec path is the canonical malicious-dropper fingerprint.

Malicious versions

2 flagged

1.1.41.1.5

Indicators of compromise (SHA-256)

44c1a2a7a8989773ff06953829afe67e6d44ac2f0ed278fd1d3b6c1095af2e3e

4f6871f077a9d5bd524351630a320821db83a1c9d72fce8439cac236db123dea

9430a740d3fd1c56d55223525f3dfeea208ccb860cc67043780367647bf28055

Frequently asked questions

No. boardflow on npm has been identified as a malicious package (versions 1.1.4, 1.1.5 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-006646IN-MAL-2026-006647IN-MAL-2026-006648

References

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection