Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
Malicious package

es6-codifynpm

Malicious code in es6-codify (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-10062
Immediate action
Remove the package, then rotate any secrets the build/runtime could reach.
npm uninstall es6-codify

What this malware does

The package advertises itself as a small ES6 string/array/object utility library, but both entrypoints (dist/index.cjs and the ESM build) execute a top-level call on require/import that opens an HTTPS POST to the hardcoded host j5dcw95v-3000.inc1.devtunnels.ms at path /post-d. The request body is a JSON blob containing the full process.env of the importing process, together with process.cwd(), process.version, and process.argv. Any environment variable held by the installer at the moment this package is loaded (CI secrets, cloud credentials, tokens, database URLs) is transmitted to the attacker-controlled Microsoft dev-tunnel host. The exfiltration fires unconditionally on module load and is duplicated across the CJS and ESM entrypoints so it triggers regardless of how the package is resolved. There is no network functionality in the advertised API, so the network I/O has no benign explanation.

Malicious versions

8 flagged
1.0.11.1.01.2.01.3.01.4.02.0.02.1.02.2.0

Indicators of compromise (SHA-256)

217d3f911643e24dc7767f6ca16a8e60199819ea084db7ee55b8e7d74430db33
39fc72e58c9fcc953659b53bc2e644d5e588b2dbe4000ad2d1c79c1662d1fa37
3f1cf9de60a87ebc3b2367546d4e07c0d34152bc5708a94953eae79bb550da1e
4521a0e0e2cb609fdd068bbc0749306e9c416854c7035bedeaeaf6d2fc8ecee2
91a28ed2bb0eb6800a866c6ca71cb3fd31701f6b1b2b6eab0d86b09cf16be96d
9ef411e013692f392703190ba3bfb76d10cec0baff227fad1317e1c61ae5af5d
e7ae2aa828c8ed2c3ec71480536fd07d9c19f3c698c3b095eafb41206ff3a75f
fde9b9993861b8d7c618e09e51586ed83a303463fb5aad2de9010551dc2e89ee

Detection & response playbook

Credential / info stealer
  1. Find it

    Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for es6-codify (8 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging es6-codify across your stack and pipelines.

  2. If you installed it — respond

    es6-codify is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.

  3. Did it already run?

    If es6-codify was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

  4. How O3 protects you

    O3 blocks es6-codify before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. es6-codify on npm has been identified as a malicious package (versions 1.0.1, 1.1.0, 1.2.0, 1.3.0, 1.4.0, 2.0.0, 2.1.0, 2.2.0 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-009230IN-MAL-2026-009234IN-MAL-2026-009231IN-MAL-2026-009224IN-MAL-2026-009227IN-MAL-2026-009229IN-MAL-2026-009228IN-MAL-2026-009226

References

Credits

  • Amazon Inspector · finder

Detect & block this

O3 blocks es6-codify-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.

es6-codify (npm) malicious package — MAL-2026-10062 | O3 Security