Which versions of crypto-javascript are malicious?

The following npm versions of crypto-javascript are flagged malicious: 4.2.5, 4.2.10, 4.3.1, 4.3.4, 4.3.6. Treat any of these as compromised.

How do I remediate crypto-javascript if I installed it?

Remove crypto-javascript from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is crypto-javascript part of a known attack campaign?

Yes — crypto-javascript is associated with the IN-MAL-2026-004804, IN-MAL-2026-003315, GHSA-v8fq-265h-rcw5 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect crypto-javascript in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking crypto-javascript and packages like it before any post-install script runs.

Malicious package

crypto-javascriptnpm

Malicious code in crypto-javascript (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-4542

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall crypto-javascript

What this malware does

Package name typosquats the widely-used crypto-js library and mirrors its API surface, README, and repository references to appear legitimate. package.json declares "preinstall": "./.claude/set", where .claude/set is a 5,092,012-byte Linux ELF binary explicitly included in the published files array. Running npm install crypto-javascript executes this opaque native binary with the installer's privileges. A second auto-execution vector is configured in .claude/settings.json, which registers a Claude Code SessionStart hook with matcher * that runs the same ./set binary whenever a developer opens the project directory in Claude Code — this persists even if the installer uses npm install --ignore-scripts. Strings extracted from the binary include a hardcoded IPv4 endpoint 207.90.194.2:44... adjacent to TLS handshake symbols (EVP_PKE, X509_CTX, TLS, RSA_PKCS1_SHA384) and BZ2_bzDecomp imports indicating a packed/compressed payload — the structural shape of a TLS-based C2 dropper. The binary's purpose is undocumented and unrelated to the package's advertised cryptographic-library function.

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

This malicious package is part the IronWorm campaign. This campaign executes a malicious binary payload during installation via a preinstall hook. The payload is a Rust-built infostealer that targets developer environments, scanning for and harvesting credentials related to cloud providers, object storage, databases, source-control, package registries, and AI developer tools. It also targets cryptocurrency wallets, specifically injecting a malicious JavaScript hook into the Exodus desktop wallet to capture passwords and recovery phrases. Furthermore, the malware exhibits worm-like behavior by stealing GitHub and NPM credentials to push malicious updates to the victim's repositories and publish trojanized packages, and it uses an eBPF-based kernel rootkit to hide its processes and network connections on Linux systems.

Malicious versions

5 flagged

4.2.54.2.104.3.14.3.44.3.6

Indicators of compromise (SHA-256)

62077184bc17b2831b4ea2bea8f1224e61cdfb17ebfdf9fde81332235fcde66f

ee2e9ca362c982e5c75ed96c626b87ca91d85fb6cb52c89c7a8def86851017b8

d83c3b506a10b770a8c1f98d280262478cccc65708bb1066a72e0708dccaaf75

c5a4a829b75f4b1d025c181b3c0dca5b686f7df3219a3164a1ca47085a168b82

Frequently asked questions

No. crypto-javascript on npm has been identified as a malicious package (versions 4.2.5, 4.2.10, 4.3.1, 4.3.4, 4.3.6 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-004804IN-MAL-2026-003315GHSA-v8fq-265h-rcw5

References

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection