Which versions of cdk-insights are malicious?

The following npm versions of cdk-insights are flagged malicious: 1.41.2, 1.42.3. Treat any of these as compromised.

How do I remediate cdk-insights if I installed it?

Remove cdk-insights from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is cdk-insights part of a known attack campaign?

Yes — cdk-insights is associated with the IN-MAL-2026-004226, IN-MAL-2026-005797 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect cdk-insights in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking cdk-insights and packages like it before any post-install script runs.

Malicious package

cdk-insightsnpm

Malicious code in cdk-insights (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-4508

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall cdk-insights

What this malware does

The package contains code in dist/entry.js and dist/index.js that invokes npm publish programmatically combined with writeFileSync operations — the canonical wormable auto-publication pattern (enumerate maintainer's other packages, rewrite their package.json, republish under the installer's npm credentials). Additionally, dist/aspects/CdkInsightsAspect.js, dist/entry.js, and dist/index.js contain multiple HTTP POST sinks consistent with hardcoded C2 / data-exfiltration endpoints, and CdkInsightsAspect.js contains ping-based network reconnaissance. The combination of wormable self-propagation infrastructure plus exfiltration POST endpoints in install/import-reachable code is unambiguous supply-chain attack shape: any developer or CI system installing this package risks (a) having installer-side data POSTed to attacker-controlled endpoints and (b) having their npm credentials abused to republish malicious versions of their other packages.

Malicious versions

2 flagged

1.41.21.42.3

Indicators of compromise (SHA-256)

fa41acb776dbedfe93c37899783a5e54b78017ac31576c798a27eae6b9e9ec89

c881a135de8104d4fb3610e23f98105d97692a8c20b0cad8fb4a45c3d2052e46

Frequently asked questions

No. cdk-insights on npm has been identified as a malicious package (versions 1.41.2, 1.42.3 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-004226IN-MAL-2026-005797

References

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection