Which versions of event-metrics-q3x7 are malicious?

The following npm versions of event-metrics-q3x7 are flagged malicious: 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.0.8. Treat any of these as compromised.

How do I remediate event-metrics-q3x7 if I installed it?

Remove event-metrics-q3x7 from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Can O3 Security detect event-metrics-q3x7 in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking event-metrics-q3x7 and packages like it before any post-install script runs.

Malicious package

event-metrics-q3x7npm

Malicious code in event-metrics-q3x7 (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5857

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall event-metrics-q3x7

What this malware does

On install, package.json runs a postinstall hook (node run.js) that triggers beacon scripts (beacon20.js, beacon_linux.js) shipped in the tarball. The beacons load child_process, os, https, and http, gather host fingerprints (os.hostname(), os.platform(), process.platform, process.env) and command output via exec(...), and transmit the data outbound — beacon_linux.js issues an http.request(...) POST containing host details, while beacon20.js performs https.request(...) calls including requests against the Azure management API endpoint. There is no advertised purpose that justifies a host-info beacon firing automatically at install time, and the data collected (env vars, hostname, platform, command output) is classic installer-side reconnaissance and credential-surface telemetry. Installing this package executes the beacon on npm install and leaks installer-machine information to the embedded destinations.

Malicious versions

9 flagged

1.0.01.0.11.0.21.0.31.0.41.0.51.0.61.0.71.0.8

Indicators of compromise (SHA-256)

38481a7b69f79e37a538047118a05881f29da308c683571c5ab230b5288663c0

fa01dc0bbee924d7db5aba6916490bc9202963bfd27c1fc558c19597f1e32f55

8431eba424b46c8f132b5cf8e65e88f79e227dcf22482b8ab2d23a144f81fc8a

9059fcd730d26d7cc5542c4d80eb7e1abd89e51f253ffe4a97adfce0345a01ba

9b805c0ac88b45f49b1698fb9ea33e00767380544221d574a0da0e0f526d07f8

aad86da9d58e69db4eb1e7bf9a63166f6f11da09a012a41c2a76c99add3e3fd0

b20773f0af359b4191d9b4718f7b8d984d5c9fca236ebd8ce151e487554b8aea

ba5124f00c898366c83713400b6d4d03d01a94d927830248026bb49db66fb1ff

e3474ad4e933b73f874c39c9728accc1028c4a152768e218f2434c8a45057843

Frequently asked questions

No. event-metrics-q3x7 on npm has been identified as a malicious package (versions 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, and 1 more flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-006734IN-MAL-2026-006733IN-MAL-2026-006731IN-MAL-2026-006737IN-MAL-2026-006735IN-MAL-2026-006732IN-MAL-2026-006729IN-MAL-2026-006736IN-MAL-2026-006730

References

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection