Which versions of datacamp-light are malicious?

The following npm versions of datacamp-light are flagged malicious: 1.0.0. Treat any of these as compromised.

How do I remediate datacamp-light if I installed it?

Remove datacamp-light from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is datacamp-light part of a known attack campaign?

Yes — datacamp-light is associated with the IN-MAL-2026-006961 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect datacamp-light in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking datacamp-light and packages like it before any post-install script runs.

Malicious package

datacamp-lightnpm

Malicious code in datacamp-light (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-6091

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall datacamp-light

What this malware does

Package impersonates the DataCamp brand while shipping near-empty stub exports (index.js init/helper return trivial constants). The postinstall lifecycle hook (node install.js) runs on every npm install and collects the installer's hostname, OS username, home directory, platform, current working directory, and timestamp, then POSTs them over HTTPS to dc.iam.c.noratomo.asia/install with TLS certificate verification disabled (rejectUnauthorized: false). The destination domain has no relationship to datacamp.com. The combination of brand-impersonating name, hollow library functionality, lifecycle-triggered outbound beacon to an unrelated domain, identifying-host fields, and disabled TLS verification is a supply-chain reconnaissance implant against developers who install this expecting DataCamp tooling.

Malicious versions

1 flagged

1.0.0

Indicators of compromise (SHA-256)

4dbdcc4ef12aca6461f8e765976a7b2b33099a1791a7aee7e353371b7954a91c

Frequently asked questions

No. datacamp-light on npm has been identified as a malicious package (version 1.0.0 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-006961

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection