Which versions of grateful-payments are malicious?

The following npm versions of grateful-payments are flagged malicious: 99.0.0-canary.1. Treat any of these as compromised.

How do I remediate grateful-payments if I installed it?

Remove grateful-payments from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is grateful-payments part of a known attack campaign?

Yes — grateful-payments is associated with the IN-MAL-2026-005111, IN-MAL-2026-005112 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect grateful-payments in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking grateful-payments and packages like it before any post-install script runs.

Malicious package

grateful-paymentsnpm

Malicious code in grateful-payments (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5445

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall grateful-payments

What this malware does

On npm install, the package's postinstall script (src/canary.js) performs a DNS lookup and HTTPS GET to the hardcoded host 96e03fa6c292469a-172-245-86-254.serveousercontent.com at path /c. serveousercontent.com is an anonymous reverse-tunnel service, so the destination is operator-controlled and not tied to a verifiable publisher. Every installer's machine emits an unconsented outbound network call at install time, revealing source IP, DNS resolver path, and install timing to the tunnel operator — a classic install-fleet beaconing pattern used to confirm compromise reach. The package's own metadata describes itself as a HackerOne research canary with an empty main module, but the install-time network behavior is identical to a real install-time beacon and runs on anyone who installs this version.

Malicious versions

1 flagged

99.0.0-canary.1

Indicators of compromise (SHA-256)

1a7a07a0a09ed8037058353b9b9b067e25e3cbe783eaab8d54276d490f823471

bbd4cc6cf034de9a6a7d4edd97f5fcea8b806ad98dacb14372e5a632477861ad

Frequently asked questions

No. grateful-payments on npm has been identified as a malicious package (version 99.0.0-canary.1 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-005111IN-MAL-2026-005112

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection