Which versions of http-uploader-dev are malicious?

The following npm versions of http-uploader-dev are flagged malicious: 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.5, 1.0.6, 1.0.7. Treat any of these as compromised.

How do I remediate http-uploader-dev if I installed it?

Remove http-uploader-dev from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is http-uploader-dev part of a known attack campaign?

Yes — http-uploader-dev is associated with the IN-MAL-2026-003797, IN-MAL-2026-003788, IN-MAL-2026-003795, IN-MAL-2026-004607, IN-MAL-2026-003791, IN-MAL-2026-004872, IN-MAL-2026-005990 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect http-uploader-dev in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking http-uploader-dev and packages like it before any post-install script runs.

Malicious package

http-uploader-devnpm

Malicious code in http-uploader-dev (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-4580

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall http-uploader-dev

What this malware does

package.json declares "preinstall": "bun run index.js", which on npm install invokes Bun to run index.js. index.js detects the host OS and shells out to launch an unrelated local application — open -a Calculator on macOS, calc.exe on Windows, and xcalc/gnome-calculator/kcalc on Linux — via execSync. This is the canonical proof-of-concept install-time RCE payload and bears no relation to the package's stated 'http uploader' purpose. Two independently suspicious structural traits compound the lifecycle behavior: (1) the preinstall hook routes execution through Bun, an alternate runtime fetched outside the normal Node resolution path, matching the alternate-runtime-dropper pattern; (2) package metadata is placeholder/throwaway (author 'sleep', homepage https://git.hfaf.com/urlaa, generic name 'http-uploader-dev'). The PoC nature of the current payload (launching a calculator) does not lower the severity: any installer running npm install http-uploader-dev executes attacker-chosen commands at install time, and a future republish can swap in arbitrary code with no change to the trigger surface.

Malicious versions

7 flagged

1.0.01.0.11.0.21.0.31.0.51.0.61.0.7

Indicators of compromise (SHA-256)

936024fb65d6ab06a1f01fcd765b534812efb873f076e81303d87c0b141bba2b

c5c79f07e872440f7a6cdddf0385c8e88675a0def325a08af63de330f1cd94c3

dad89f8aa4b11f7ca9548e55a763bff12293a14d3889074f847d4735e1af5126

f78bad20b316dad1568a74ff372d2d5e955bd658ccf93bd814e2939c3a0b8216

a8bb3bd4e143aaf8df6d3d54eedb9f36d7f156c59775eed35a21de8d33b253a3

d9818578428bc38b7bd3f5e4546e4d14d0ebe9709b9fea08cd359a3f99e84d46

577aa4c42e8931b5a638758260beaa8efade008231a95c06a0c0b7829655bb7b

Frequently asked questions

No. http-uploader-dev on npm has been identified as a malicious package (versions 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.5, 1.0.6, 1.0.7 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-003797IN-MAL-2026-003788IN-MAL-2026-003795IN-MAL-2026-004607IN-MAL-2026-003791IN-MAL-2026-004872IN-MAL-2026-005990

References

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection