Which versions of clean-my-pc are malicious?

The following npm versions of clean-my-pc are flagged malicious: 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.9. Treat any of these as compromised.

How do I remediate clean-my-pc if I installed it?

Remove clean-my-pc from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is clean-my-pc part of a known attack campaign?

Yes — clean-my-pc is associated with the IN-MAL-2026-005660, IN-MAL-2026-005662, IN-MAL-2026-005661, IN-MAL-2026-005659, IN-MAL-2026-005657, IN-MAL-2026-005658 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect clean-my-pc in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking clean-my-pc and packages like it before any post-install script runs.

Malicious package

clean-my-pcnpm

Malicious code in clean-my-pc (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5609

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall clean-my-pc

What this malware does

The package's collect.js imports child_process, fs, http, https, and os, gathers host identifiers via os.hostname() and os.homedir(), reads files from the local filesystem (fs.existsSync checks at lines 20 and 27), and POSTs the collected data to a hardcoded external endpoint at http://aab.sportsontheweb.net (referenced at line 13, with the POST request at line 366). The destination domain is unrelated to any legitimate PC-cleaning utility purpose and matches the structural fingerprint of a host-information / filesystem exfiltration beacon: hardcoded non-publisher C2 + system identity collection + outbound POST. Installing or loading this package causes the installer's hostname, home-directory contents indicator, and other host data to be transmitted to the attacker-controlled endpoint over plaintext HTTP.

Malicious versions

6 flagged

1.0.11.0.21.0.31.0.41.0.51.0.9

Indicators of compromise (SHA-256)

0643990e40a068c184fc70b258368e07ce0b7cb6b81478a82da8e76e169dfbfe

5f90d40c1809406517b17c6d51086a8bc1c09492413d8db182dbb29de829bd37

8139d8347bc83b12e276e481509aaca6af69adff21f7df1658a6eeadd31562f6

9c0da96e59f83bd52a688d90504e873aa5c0c8ed2ec5fc37c0d35b35ac6dc190

cb6ce87f95f3510f104ff3b69e555f9dcff24c2b4333967e21f2c2264b673c3a

4110a6fab49f763df4587e8710ef8e4e0ec5823c7a65cff1462ccdcc6a95da5b

Frequently asked questions

No. clean-my-pc on npm has been identified as a malicious package (versions 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.9 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-005660IN-MAL-2026-005662IN-MAL-2026-005661IN-MAL-2026-005659IN-MAL-2026-005657IN-MAL-2026-005658

References

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection