Which versions of cloudsmith-vsc are malicious?

The following npm versions of cloudsmith-vsc are flagged malicious: 2.1.2. Treat any of these as compromised.

How do I remediate cloudsmith-vsc if I installed it?

cloudsmith-vsc is a typosquat — you almost certainly intended a legitimately-named package. Remove cloudsmith-vsc, install the correct package, and rotate any secrets exposed during the install since post-install scripts may have already run.

I already installed cloudsmith-vsc — how do I know if it already compromised me?

If cloudsmith-vsc was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is cloudsmith-vsc part of a known attack campaign?

Yes — cloudsmith-vsc is associated with the IN-MAL-2026-004014, IN-MAL-2026-004015 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find cloudsmith-vsc across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for cloudsmith-vsc (version 2.1.2). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging cloudsmith-vsc across your stack and pipelines.

Malicious package

cloudsmith-vscnpm

Malicious code in cloudsmith-vsc (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-4530

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall cloudsmith-vsc

What this malware does

package.json declares a preinstall hook ("preinstall": "node index.js") that runs automatically on npm install. index.js reads installer-side system identity and files — os.hostname(), os.userInfo(), homedir, DNS configuration, package metadata, /etc/passwd, and /etc/hosts — and POSTs them over HTTPS to a hardcoded Burp Collaborator subdomain (6hoa7n94q5v6yig1hqokwg6f066zupie.oastify.com). The package metadata is empty (no description, author, or license) and the name impersonates the Cloudsmith vendor brand, consistent with a dependency-confusion / typosquat recon-and-exfil payload. Any machine that installs this package transmits host fingerprinting and local account data to the attacker.

Malicious versions

1 flagged

2.1.2

Indicators of compromise (SHA-256)

2b49ad4432747f754181e7a8428aff5fd2613f9d86283f05a04c2dd1f9ac2f2f

b426dccab89457fd791a8fd83473fe7afa862d2e532c41b1fd635bb251e5c830

Detection & response playbook

Typosquat

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for cloudsmith-vsc (version 2.1.2). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging cloudsmith-vsc across your stack and pipelines.
If you installed it — respond
cloudsmith-vsc is a typosquat — you almost certainly intended a legitimately-named package. Remove cloudsmith-vsc, install the correct package, and rotate any secrets exposed during the install since post-install scripts may have already run.
Did it already run?
If cloudsmith-vsc was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks cloudsmith-vsc before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. cloudsmith-vsc on npm has been identified as a malicious package (version 2.1.2 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-004014IN-MAL-2026-004015

References

npmjs.com

Credits

Amazon Inspector · finder

Detect & block this

O3 blocks cloudsmith-vsc-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the malicious outbound activity and severs the channel.

Malware detection Runtime egress monitoring