Which versions of exodus-checkout-signer are malicious?

The following npm versions of exodus-checkout-signer are flagged malicious: 99.0.0-canary.1. Treat any of these as compromised.

How do I remediate exodus-checkout-signer if I installed it?

Remove exodus-checkout-signer from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is exodus-checkout-signer part of a known attack campaign?

Yes — exodus-checkout-signer is associated with the IN-MAL-2026-005120, IN-MAL-2026-005119 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect exodus-checkout-signer in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking exodus-checkout-signer and packages like it before any post-install script runs.

Malicious package

exodus-checkout-signernpm

Malicious code in exodus-checkout-signer (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5439

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall exodus-checkout-signer

What this malware does

exodus-checkout-signer is the unscoped name of the scoped package @exodus/checkout-signer and self-describes (in README and package.json) as a dependency-confusion proof-of-concept targeting installers who follow Exodus's documented install command and drop the scope. The package's main entry throws on require so any caller fails loudly, but on npm install the postinstall script unconditionally runs node src/canary.js, which performs a DNS lookup and an HTTPS GET to 96e03fa6c292469a-172-245-86-254.serveousercontent.com — a Serveo SSH-tunneling endpoint with a raw IP (172.245.86.254) embedded in the subdomain — passing the package name and version as query parameters (/canary-install?pkg=...&ver=...). No installer secrets are exfiltrated, but every installation reveals the victim's source IP, timing, and corporate-network egress to an anonymous third-party tunnel operator that is not affiliated with the impersonated Exodus publisher. The combined name-confusion against a top-shelf wallet vendor's documented scope plus install-time beaconing to attacker-controllable infrastructure is a live supply-chain attack regardless of the author's stated 'research' intent.

Malicious versions

1 flagged

99.0.0-canary.1

Indicators of compromise (SHA-256)

7da50adb6560d5d1153657f16884e3acba9fd19865b0c1f6a90da176ae951f98

921c5ef246587db452bdb65aae12321f4de868e7882f9550f9b9e32300ae792c

Frequently asked questions

No. exodus-checkout-signer on npm has been identified as a malicious package (version 99.0.0-canary.1 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-005120IN-MAL-2026-005119

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection