Which versions of hex-type are malicious?

The following npm versions of hex-type are flagged malicious: 3.0.2. Treat any of these as compromised.

How do I remediate hex-type if I installed it?

Remove hex-type from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is hex-type part of a known attack campaign?

Yes — hex-type is associated with the IN-MAL-2026-005342, IN-MAL-2026-005341 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect hex-type in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking hex-type and packages like it before any post-install script runs.

Malicious package

hex-typenpm

Malicious code in hex-type (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5538

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall hex-type

What this malware does

Package metadata (description "A universally-unique, lexicographically-sortable, identifier generator", homepage github.com/ulid/javascript, build script --name ulidx, reused ULID source) impersonates the legitimate ulid/ulidx libraries, but the package adds a malicious dropper not present in those projects. package.json declares "postinstall": "node dist/utils.js". On npm install, dist/utils.js re-spawns itself detached with --bg, copies dist/payload.js (~950KB) to a hidden directory named MicrosoftSystem64 under LOCALAPPDATA / Application Support / ~/.local/share (impersonating a Windows system component), and registers OS-level persistence: a Windows Scheduled Task plus Run-key launching wscript.exe of a generated VBS, a Linux systemd --user service with loginctl enable-linger, or a .config/autostart fallback, and a detached spawn on macOS. The dropped payload.js bundles the ws WebSocket client/server, pino logging, zod, and references https://huggingface.co/api and https://huggingface.co — the building blocks of a long-running remote-controlled agent, with zero relation to ULID generation. Both the postinstall (if (cpus.length <= 4...) return;) and the agent (MIN_CPU_COUNT = 5) abort on hosts with ≤4 CPUs to evade sandboxes and low-core CI runners. This is unambiguous installer-side RCE plus persistence plus C2.

Malicious versions

1 flagged

3.0.2

Indicators of compromise (SHA-256)

1b9530df5da36f6e3de0761c79ef3687e4f0c5f1990d77a3f874df2c1b3fe278

f7d0271fe97ea66e9ff2ba3a0ea225364324f28138af32c337d6ed8b2b99e5ad

Frequently asked questions

No. hex-type on npm has been identified as a malicious package (version 3.0.2 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-005342IN-MAL-2026-005341

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection