Which versions of create-vercel-integration are malicious?

The following npm versions of create-vercel-integration are flagged malicious: 1.0.0. Treat any of these as compromised.

How do I remediate create-vercel-integration if I installed it?

Remove create-vercel-integration from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is create-vercel-integration part of a known attack campaign?

Yes — create-vercel-integration is associated with the IN-MAL-2026-006757 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect create-vercel-integration in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking create-vercel-integration and packages like it before any post-install script runs.

Malicious package

create-vercel-integrationnpm

Malicious code in create-vercel-integration (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5894

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall create-vercel-integration

What this malware does

Package name mimics Vercel's official create-* initializer convention (e.g. create-next-app), targeting developers who mistype or guess the initializer name and invoke npx create-vercel-integration. The bin script (bin/run.js) hardcodes a callback URL https://deepbounty.dd06-dev.fr/cb/f7506d76-f300-4c91-a105-41c07ad317fc and, on invocation, reads the INIT_CWD environment variable, extracts its basename, and POSTs {pkg, timestamp, transport, project} to that author-controlled endpoint. The package self-describes as a 'Bug Bounty PoC,' but it is published on the public npm registry under a name shaped like an official Vercel scaffold and silently leaks the installer's project directory name to a third party with no disclosure or opt-out. The package provides no legitimate Vercel-integration scaffolding functionality; the bin's only effect is the beacon.

Malicious versions

1 flagged

1.0.0

Indicators of compromise (SHA-256)

aeaea6bab6360c38ed5a7de7065eb04d0ac489bb3670b68defc8bc26874d3d62

Frequently asked questions

No. create-vercel-integration on npm has been identified as a malicious package (version 1.0.0 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-006757

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection