Which versions of friendly-greeter-demo are malicious?

The following npm versions of friendly-greeter-demo are flagged malicious: 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.6. Treat any of these as compromised.

How do I remediate friendly-greeter-demo if I installed it?

Remove friendly-greeter-demo from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is friendly-greeter-demo part of a known attack campaign?

Yes — friendly-greeter-demo is associated with the IN-MAL-2026-006209, IN-MAL-2026-006212, IN-MAL-2026-006210, IN-MAL-2026-006208, IN-MAL-2026-006211 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect friendly-greeter-demo in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking friendly-greeter-demo and packages like it before any post-install script runs.

Malicious package

friendly-greeter-demonpm

Malicious code in friendly-greeter-demo (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5704

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall friendly-greeter-demo

What this malware does

The package presents itself as a trivial greeting library but ships two independent backdoor paths to a hardcoded bare-IP C2 at http://98.86.244.177:8080. (1) package.json declares "postinstall": "node postinstall.js", which fires on every npm install. postinstall.js re-spawns itself as a detached daemon (POSTINSTALL_DAEMON=1), POSTs the installer's os.hostname() and process.platform to /register, polls /beacon for a command field, executes it via child_process.exec with a 30s timeout, and POSTs stdout+stderr back to /results in a jittered loop — a persistent command-and-control backdoor that survives the install and grants the operator of 98.86.244.177 full shell on the installer's machine. (2) index.js (the declared main) contains a top-level IIFE that performs the same /register → /beacon → exec → /results flow on require('friendly-greeter-demo'), so any consumer that imports the package as a library also gets full RCE. The C2 destination is a bare IPv4 over plaintext HTTP, with no relation to the package's stated greeting purpose.

Malicious versions

5 flagged

1.0.11.0.21.0.31.0.41.0.6

Indicators of compromise (SHA-256)

296efda061a9a7286225d84524e63a37f5d4b655352f579db38e6ab244911f1b

3d7aae6052d68219fd3611f6c4faf98ebaa10c81bb2190be2ba9fc8c21414ca8

6abf509238a817b53302533e1df0b744115e5814c7cf707a5d86d9bc0414d8c4

cf7bb5ffaaf1b751fff6564106d0f381be58f3c9541e571f9e1f580a2358d99f

e42b62d2ce224204686eadc2dd79e8059a3f21a3fd407b84e7e0a8434af594af

Frequently asked questions

No. friendly-greeter-demo on npm has been identified as a malicious package (versions 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.6 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-006209IN-MAL-2026-006212IN-MAL-2026-006210IN-MAL-2026-006208IN-MAL-2026-006211

References

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection