Which versions of events-runtime are malicious?

The following npm versions of events-runtime are flagged malicious: 3.3.0. Treat any of these as compromised.

How do I remediate events-runtime if I installed it?

Remove events-runtime from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is events-runtime part of a known attack campaign?

Yes — events-runtime is associated with the IN-MAL-2026-005260 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect events-runtime in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking events-runtime and packages like it before any post-install script runs.

Malicious package

events-runtimenpm

Malicious code in events-runtime (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5528

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall events-runtime

What this malware does

Typosquat of the legitimate events package. A trigger injected into events.js emit() spawns a hidden loader (tests/galas-emit.min.js) when an emitted event has args[0].eventId === 'eventId0'. The loader loads a 760KB ethers-based wallet stealer (tests/galas.min.js; 108 mnemonic / 62 privateKey refs), exfiltrates a host report over Telegram and Slack, and uses a Slack channel + an Ethereum Sepolia smart contract as bidirectional C2. The linked GitHub repo (EVENTS-RUNTIME/events-runtime) is a clean decoy; the published npm tarball diverges from it (injected emit block + payload files absent from the repo). No install scripts (runtime-triggered). Validated by static analysis and contained dynamic detonation.

Network IoCs:

Telegram bot 8961878831:AAG4WTbRUcbXI5UCaN4VXK8k57ghqqkg_qI, chat_id -1003952553968
Slack token xoxb-11307403103236-11289767127959-yV5qQADdFGCI8oxsZTr8FJHk; channels C0B8XPGCKQS (exfil), C0B8GEPFMK9 (command)
RPC https://eth-sepolia.g.alchemy.com/v2/0E6xblLeXLnZSnn280R-O ; contract 0xc0445F1b679DC46280A0f03F451bdf613b5A0feA (Sepolia), selector 0x51e3adc0 File IoCs: tests/galas.min.js, tests/galas-emit.min.js, tests/errors.min.js Trigger: emit() with args[0].eventId === 'eventId0'

Malicious versions

1 flagged

3.3.0

Indicators of compromise (SHA-256)

9dec390f61d4b2205b07cb0dae6c7be308ebf5c95a9167341b1ee6bfca485608

Frequently asked questions

No. events-runtime on npm has been identified as a malicious package (version 3.3.0 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-005260

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection