Which versions of envoy1 are malicious?

The following npm versions of envoy1 are flagged malicious: 1.0.1, 1.0.4, 1.0.5, 1.0.10, 1.0.12, 1.0.14, 1.0.15, 1.0.17. Treat any of these as compromised.

How do I remediate envoy1 if I installed it?

Remove envoy1 from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound activity or persistence.

I already installed envoy1 — how do I know if it already compromised me?

If envoy1 was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is envoy1 part of a known attack campaign?

Yes — envoy1 is associated with the GHSA-f4fg-xj6v-j6r8 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find envoy1 across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for envoy1 (8 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging envoy1 across your stack and pipelines.

Malicious package

envoy1npm

Malicious code in envoy1 (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-871

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall envoy1

What this malware does

The package envoy1 was found to contain malicious code.

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

The OpenSSF Package Analysis project identified 'envoy1' @ 1.0.10 (npm) as malicious.

It is considered malicious because:

The package communicates with a domain associated with malicious activity.

Malicious versions

8 flagged

1.0.11.0.41.0.51.0.101.0.121.0.141.0.151.0.17

Indicators of compromise (SHA-256)

10936bf606d5dc96a54b1ec67ee68c3426330a5b76de9f1edf791d8511aeff94

534025484f895df012bf58dea9bd0515a8d69d89db8b1a2b09757f358d18f8b6

b2847c44ec69d9e500dd372736c6ef45e0005dfc9dd7eccef8e77b33b590e32c

8fc4a93cab1e4251fee61e045956f17fbb416b228a8c5df9704cff5594edecbe

41d186df40a1546706a1c1be8b8ded4bd925b113674a892e0d0ea4d3fe21138c

f79c0c8be133658ce800aa6a4a1ef749479ec6dfa2ce70bedb051333d8ed181b

29af11c89730199dc1ae49a0282c144d1811b6a20de7b39fd5a726a776ff40f3

a6970274ff6fb5269440d5a9ef77ae654fd5b4257430ec8715414dffbf5dcdeb

877dda74ff1a6579d4bd819a2f752baae0c5f7972ae585756a93dceb01dd57af

f06e472b4bdab1dd15a395732da65c1814588afb9acec484f386061ec9c16b3c

Detection & response playbook

Malicious package

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for envoy1 (8 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging envoy1 across your stack and pipelines.
If you installed it — respond
Remove envoy1 from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound activity or persistence.
Did it already run?
If envoy1 was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks envoy1 before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. envoy1 on npm has been identified as a malicious package (versions 1.0.1, 1.0.4, 1.0.5, 1.0.10, 1.0.12, 1.0.14, 1.0.15, 1.0.17 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

GHSA-f4fg-xj6v-j6r8

References

github.com

Credits

Amazon Inspector · finder
OpenSSF: Package Analysis · finder

Detect & block this

O3 blocks envoy1-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the malicious outbound activity and severs the channel.

Malware detection Runtime egress monitoring