Which versions of encrypted-archive are malicious?

The following npm versions of encrypted-archive are flagged malicious: 0.0.2-security-research, 99.0.0. Treat any of these as compromised.

How do I remediate encrypted-archive if I installed it?

Remove encrypted-archive from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is encrypted-archive part of a known attack campaign?

Yes — encrypted-archive is associated with the IN-MAL-2026-005317, IN-MAL-2026-005316 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect encrypted-archive in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking encrypted-archive and packages like it before any post-install script runs.

Malicious package

encrypted-archivenpm

Malicious code in encrypted-archive (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5286

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall encrypted-archive

What this malware does

On npm install, the package executes a preinstall hook (package.json "preinstall": "node index.js || true") that runs index.js, which performs a DNS resolution and HTTPS GET to a hardcoded interactsh/oast.me subdomain (d8hjn6ap4rnta9vj5ve0jk11seb4k3kci.oast.me). Each install leaks the resolver IP, public egress IP, hostname-derived identifier, and install timestamp to a third-party out-of-band interaction server. The package's own metadata states it is a dependency-confusion proof-of-concept squatting an internal Ubiquiti namespace; any build system that resolves this name from the public registry instead of the intended private registry will silently run the beacon. Regardless of the author's stated research intent, the install-time network I/O to an attacker-controlled OOB host is the canonical dependency-confusion exploitation primitive and exfiltrates installer-side network/identity data.

The OpenSSF Package Analysis project identified 'encrypted-archive' @ 99.0.0 (npm) as malicious.

It is considered malicious because:

The package communicates with a domain associated with malicious activity.

Malicious versions

2 flagged

0.0.2-security-research99.0.0

Indicators of compromise (SHA-256)

13428a6cdcd4736d3f044dd6a580724699318155a1c1e283b586b9a4c3ab6295

f291327983b20a3a12bd0b0b5e7fcbd0b81034402c97da2921cbe8fff14f7fd8

c60d89261c09dc6eaea0a3af26af55519421cb927a1b8183009d09b2d4e99b94

Frequently asked questions

No. encrypted-archive on npm has been identified as a malicious package (versions 0.0.2-security-research, 99.0.0 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-005317IN-MAL-2026-005316

References

npmjs.com

Credits

Amazon Inspector · finder
OpenSSF: Package Analysis · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection