Which versions of boardstep are malicious?

The following npm versions of boardstep are flagged malicious: 1.0.0, 1.0.1, 1.0.5, 1.0.7, 1.0.9, 1.1.0, 1.1.2, 1.1.3, 1.1.4. Treat any of these as compromised.

How do I remediate boardstep if I installed it?

Remove boardstep from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Can O3 Security detect boardstep in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking boardstep and packages like it before any post-install script runs.

Malicious package

boardstepnpm

Malicious code in boardstep (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5800

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall boardstep

What this malware does

The package wires all three npm lifecycle hooks (preinstall, install, postinstall in package.json) to run install.js, which downloads https://www.pooron.org/tester.exe to the system temp directory under a randomized filename, marks it executable, and spawns it detached with stdio ignored and the window hidden (install.js:9 declares PAYLOAD_URL and install.js:64 calls spawn with {detached: true, stdio: 'ignore', windowsHide: true}). All errors are swallowed. There is no hash verification, the URL is unpinned, and the destination domain is unrelated to any declared publisher. The advertised purpose is a 'lightweight kanban board utility,' but index.js only exports a trivial stub class with format/getSystemInfo methods — no kanban functionality is present. The package metadata also uses a random-looking author handle ('sfhbdrffthger'), consistent with a cover-story lure paired with a dropper. On npm install, the installer's machine fetches and silently executes an opaque attacker-controlled binary.

Malicious versions

9 flagged

1.0.01.0.11.0.51.0.71.0.91.1.01.1.21.1.31.1.4

Indicators of compromise (SHA-256)

0fe75e9b8d5e4db24bcae068f6f4a55e000043c581641e6ce78a65701f4faaa3

1c728314b118425c8e4be256314b44452198a03b9cc6e9b697fa10dc8fa8bb2a

2642f9949a070ceffd4e18fadfc9961d2588873ff4e2e866421162543d22c13c

325418ddeb8034034f4ff5434b932636adefe9d71a4b69dab8b20d4f6af2da53

5d193c5fa2c3acc68bf1f212f644e09ae38a98c5bc3aa64e5018289da5e70542

d23139a90bc62310843522a9f8c266cf11ec4166f7a493072bf93b7d8ec05b0c

1475dbf1ac0cdc805d7ae41c48f8edfa7a67ac5749518afb27ef1fd6d53477b4

2e24960fef479acf9380994e528fe3489caf04bcf720e2936e4f982f19ff214a

495f2962e11e2b5600a0d50d95e778b87ae4b9e88f83b9bcbf6364d16dfbb33e

7ec0920e2706acb6ad200c954aff69c563d6f45ce153e5a54b2315d433be19f9

b8557d825807486ccc8ae2d425fae75c052e94479a1b0a1d92538cca3ef13441

16d8821c5887c1c3c2e7edf779a321325f3f3af927deb2e3126bab492ad9966f

f103051c15e08c9458073d83479e72c8adb82b907555f0eb18d195aa3de38489

160b1e0a86193a1e1e473a9bf7d50420f215723a1034a35d1e6f9023a7ad80de

279ecefcbad0d8d01a1f4d08158093609409e96d470b9c5f15889fd241dc3ce4

7849155ad4026116feb6a2afac79215c1fe7af6bda263596734b377db0b6946d

c3993e27a1725891e01283df6a72ec0619f8307445b2f2e7d8f5f6a448ce38e8

f6ab5802a77fa85a1b0d46c70336da48abd5e43a743f1a73b85ebc54c2d1175b

Frequently asked questions

No. boardstep on npm has been identified as a malicious package (versions 1.0.0, 1.0.1, 1.0.5, 1.0.7, 1.0.9, 1.1.0, 1.1.2, 1.1.3, and 1 more flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-006635IN-MAL-2026-006645IN-MAL-2026-006641IN-MAL-2026-006644IN-MAL-2026-006630IN-MAL-2026-006637IN-MAL-2026-006639IN-MAL-2026-006634IN-MAL-2026-006629IN-MAL-2026-006631IN-MAL-2026-006636IN-MAL-2026-006632IN-MAL-2026-006642IN-MAL-2026-006638IN-MAL-2026-006640IN-MAL-2026-006628IN-MAL-2026-006633IN-MAL-2026-006643

References

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection