Which versions of camscanner-seo are malicious?

The following npm versions of camscanner-seo are flagged malicious: 999.0.0. Treat any of these as compromised.

How do I remediate camscanner-seo if I installed it?

Remove camscanner-seo from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound activity or persistence.

I already installed camscanner-seo — how do I know if it already compromised me?

If camscanner-seo was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is camscanner-seo part of a known attack campaign?

Yes — camscanner-seo is associated with the GHSA-p6gw-m8w7-8rqv, RLMA-2025-06077, RLUA-2026-01136 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find camscanner-seo across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for camscanner-seo (version 999.0.0). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging camscanner-seo across your stack and pipelines.

Malicious package

camscanner-seonpm

Malicious code in camscanner-seo (npm) Remove it immediately and rotate any exposed credentials.

MAL-2025-192554

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall camscanner-seo

What this malware does

The package camscanner-seo was found to contain malicious code.

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Malicious versions

1 flagged

999.0.0

Indicators of compromise (SHA-256)

f19e688be1202e28d6c442ecb5e70b4a5e79e7bb33559ff5669948b969324076

6fd71df3759dceae15fc1ad93919d9a90c9f0bdb044e2e131db061e1e24d253e

faeeb70f111da0219c66514f7ba8c975749ff6b24c48d6f02a5a2660d5c896b4

0debcfba613e7bac84777d552c9e298f319a83873f8093e3462f2ff6cf4554ff

Detection & response playbook

Malicious package

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for camscanner-seo (version 999.0.0). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging camscanner-seo across your stack and pipelines.
If you installed it — respond
Remove camscanner-seo from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound activity or persistence.
Did it already run?
If camscanner-seo was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks camscanner-seo before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. camscanner-seo on npm has been identified as a malicious package (version 999.0.0 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

GHSA-p6gw-m8w7-8rqvRLMA-2025-06077RLUA-2026-01136

References

Credits

Amazon Inspector · finder
ReversingLabs · finder

Detect & block this

O3 blocks camscanner-seo-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the malicious outbound activity and severs the channel.

Malware detection Runtime egress monitoring