Which versions of exodus-secure-container are malicious?

The following npm versions of exodus-secure-container are flagged malicious: 99.0.0-canary.1. Treat any of these as compromised.

How do I remediate exodus-secure-container if I installed it?

Remove exodus-secure-container from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is exodus-secure-container part of a known attack campaign?

Yes — exodus-secure-container is associated with the IN-MAL-2026-005106, IN-MAL-2026-005105 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect exodus-secure-container in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking exodus-secure-container and packages like it before any post-install script runs.

Malicious package

exodus-secure-containernpm

Malicious code in exodus-secure-container (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5441

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall exodus-secure-container

What this malware does

On npm install, the package runs node src/canary.js as a postinstall hook. That script performs a DNS lookup and HTTPS GET to the hardcoded host 96e03fa6c292469a-172-245-86-254.serveousercontent.com/c — an anonymous serveo.net reverse-tunnel endpoint, not a publisher CDN. The beacon fires unconditionally on every install, signalling the installer's public IP and DNS-resolver identity to a third-party host. The package itself has no functionality: src/index.js is module.exports = {}, and the version 99.0.0-canary.1 is engineered to win semver resolution against an internal package of the same name (dependency-confusion canary shape). Whether the operator is a researcher or a hostile actor, any environment that resolves this name against the public registry leaks install-time identity to an attacker-controllable tunnel.

Malicious versions

1 flagged

99.0.0-canary.1

Indicators of compromise (SHA-256)

8ed2337fdd749accb1f4a5b190413ced8c1cd0f1b691ba3e79dd4bfe9a3f3ef8

92bc77b12251baa18392bd90e84d6bdc57aaef9a8c774f8cb29a0066e80f76b5

Frequently asked questions

No. exodus-secure-container on npm has been identified as a malicious package (version 99.0.0-canary.1 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-005106IN-MAL-2026-005105

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection