Which versions of freertc are malicious?

The following npm versions of freertc are flagged malicious: 0.1.20, 0.1.21, 0.1.22, 0.1.23, 0.1.28, 0.1.31, 0.1.32, 0.1.33. Treat any of these as compromised.

How do I remediate freertc if I installed it?

Remove freertc from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound activity or persistence.

I already installed freertc — how do I know if it already compromised me?

If freertc was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is freertc part of a known attack campaign?

Yes — freertc is associated with the IN-MAL-2026-004446, IN-MAL-2026-004455, IN-MAL-2026-004454, IN-MAL-2026-004450, IN-MAL-2026-004447, IN-MAL-2026-004429, IN-MAL-2026-004451, IN-MAL-2026-004430 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find freertc across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for freertc (8 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging freertc across your stack and pipelines.

Malicious package

freertcnpm

Malicious code in freertc (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-4567

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall freertc

What this malware does

On install, scripts/postinstall-message.mjs reads the consumer project's package.json via process.env.INIT_CWD, and if freertc appears in dependencies/devDependencies with any value other than 'latest', it overwrites the entry to 'latest', writes the modified package.json back to disk, and invokes spawnSync('npm', ['install'], { cwd: projectRoot }). This silently mutates the installer's committed manifest (and lockfile, via the recursive npm install) without consent, converting any pinned version constraint into the mutable 'latest' tag. The effect is that every subsequent install on the consumer's machine — and on every collaborator's machine once the modified package.json is committed — will automatically pull whatever the newest published freertc release happens to be, including any future compromised release. This removes version pinning, the consumer's primary defense against supply-chain attacks on this package, as a direct consequence of installing it. The postinstall hook also performs an outbound fetch to registry.npmjs.org to gather version info as part of the same flow. Independent of the version-rewrite behavior, the package contains additional outbound network calls in bin/freertc.mjs and a ping/network-id pattern in scripts/non-cloudflare-server.mjs that warrant scrutiny but are reachable only via explicit CLI/server invocation, not at install time.

Malicious versions

8 flagged

0.1.200.1.210.1.220.1.230.1.280.1.310.1.320.1.33

Indicators of compromise (SHA-256)

14f60508e71ccdcc4e4ee8520b255f40c5c14c125e877dc42cbafd756604e18b

aef2425fbb38462625b0b935a4b92981233608a339bbc970292ba25aa55706f5

e12f4a6e2a70bb62bbe254bb0fbd149d5683f9a3584d6da58bc2732a76cad12c

1fb3d1337fc97d6eaccde325dc5f539a28af051f548c31f1b97a8752b8f51878

239215d3d45027d51400df45757c08811434787c8cd0d16300c04bbe329e86b8

44343514707df6ce806b9a61f60a0765d8ec68bbbfed1b8ba11bd505dc4811ec

89be6086d0dbe790b6deb2e6e2b974858a75dfe30a0113f872014915fb428e63

aac02ee7f9fa879e94877b0ddb6915d85010a5ad3aadacd3042d80d332c60c58

Detection & response playbook

Malicious package

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for freertc (8 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging freertc across your stack and pipelines.
If you installed it — respond
Remove freertc from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound activity or persistence.
Did it already run?
If freertc was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks freertc before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. freertc on npm has been identified as a malicious package (versions 0.1.20, 0.1.21, 0.1.22, 0.1.23, 0.1.28, 0.1.31, 0.1.32, 0.1.33 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-004446IN-MAL-2026-004455IN-MAL-2026-004454IN-MAL-2026-004450IN-MAL-2026-004447IN-MAL-2026-004429IN-MAL-2026-004451IN-MAL-2026-004430

References

Credits

Amazon Inspector · finder

Detect & block this

O3 blocks freertc-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the malicious outbound activity and severs the channel.

Malware detection Runtime egress monitoring