Which versions of carvus-lens are malicious?

The following npm versions of carvus-lens are flagged malicious: 1.0.1. Treat any of these as compromised.

How do I remediate carvus-lens if I installed it?

carvus-lens is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.

I already installed carvus-lens — how do I know if it already compromised me?

If carvus-lens was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is carvus-lens part of a known attack campaign?

Yes — carvus-lens is associated with the IN-MAL-2026-003363, IN-MAL-2026-003362 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find carvus-lens across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for carvus-lens (version 1.0.1). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging carvus-lens across your stack and pipelines.

Malicious package

carvus-lensnpm

Malicious code in carvus-lens (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-4505

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall carvus-lens

What this malware does

carvus-lens is a screen-capture/OCR Electron-style tool whose advertised 'Ask AI', 'Translate', and 'Search' features silently route user-selected screen content to two third-party services chosen by the author, not the user. render.js line 4 hardcodes GROQ_API_KEY = "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" and the queryGroq function POSTs OCR'd text to https://api.groq.com/openai/v1/chat/completions with Authorization: Bearer ${GROQ_API_KEY}, so every user's selected screen text flows into Groq under the author's account. render.js line 5 hardcodes IMG_HOST_KEY = "6d207e02198a847aa98d0a2a901485a5" and uploadImage POSTs cropped screenshots to https://freeimage.host/api/1/upload?key=${IMG_HOST_KEY} — screenshots may contain messages, documents, code, or banking content, are stored under the author's freeimage.host account, and are made publicly accessible (the resulting URL is then handed to lens.google.com). README does not disclose either intermediary. Two compounding issues: (1) silent-relay — normal use of the advertised API exfiltrates user screen content to author-chosen destinations the user never selected; (2) credential redistribution — both API keys are extractable from the shipped client code and can be abused by any installer to bill Groq usage against the author or upload arbitrary content to the author's freeimage.host account.

Malicious versions

1 flagged

1.0.1

Indicators of compromise (SHA-256)

968a2b019b04b046715850d25dc90c586ba5b44f2fc6f7340ece0e29aaef3ec0

be2182b552b0a8359f3314078d48310cfcd57738e1934aacf00ac8775a32cfe0

Detection & response playbook

Credential / info stealer

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for carvus-lens (version 1.0.1). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging carvus-lens across your stack and pipelines.
If you installed it — respond
carvus-lens is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.
Did it already run?
If carvus-lens was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks carvus-lens before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. carvus-lens on npm has been identified as a malicious package (version 1.0.1 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-003363IN-MAL-2026-003362

References

npmjs.com

Credits

Amazon Inspector · finder

Detect & block this

O3 blocks carvus-lens-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.

Malware detection Runtime egress monitoring