Which versions of build-tracker-n5p1 are malicious?

The following npm versions of build-tracker-n5p1 are flagged malicious: 1.0.0. Treat any of these as compromised.

How do I remediate build-tracker-n5p1 if I installed it?

Remove build-tracker-n5p1 from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is build-tracker-n5p1 part of a known attack campaign?

Yes — build-tracker-n5p1 is associated with the IN-MAL-2026-007063 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect build-tracker-n5p1 in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking build-tracker-n5p1 and packages like it before any post-install script runs.

Malicious package

build-tracker-n5p1npm

Malicious code in build-tracker-n5p1 (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-6196

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall build-tracker-n5p1

What this malware does

Package name suggests build telemetry tooling, but the tarball ships beacon scripts (beacon18.js, beacon_linux.js) wired to a postinstall lifecycle hook ("postinstall": "node run.js" in package.json line 9). On install, these scripts collect host identifiers via os.hostname()/os.platform() and child_process, then issue outbound HTTP GET/POST requests via http.request from the installer's machine. This combination — auto-execute on install, host fingerprinting, and outbound HTTP exfiltration — is a classic install-time host beacon / data-exfiltration pattern. There is no legitimate build-tracking reason to fingerprint the host and beacon out at install time without consent or configuration.

Malicious versions

1 flagged

1.0.0

Indicators of compromise (SHA-256)

e731775fde27ad6db493d20397b27eee9b4a6ea0bf515f9516cc974ea3e12619

Frequently asked questions

No. build-tracker-n5p1 on npm has been identified as a malicious package (version 1.0.0 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-007063

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection