Which versions of hydanlabs are malicious?

The following npm versions of hydanlabs are flagged malicious: 1.0.2, 1.0.3, 1.3.0, 1.3.2. Treat any of these as compromised.

How do I remediate hydanlabs if I installed it?

Remove hydanlabs from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound activity or persistence.

I already installed hydanlabs — how do I know if it already compromised me?

If hydanlabs was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is hydanlabs part of a known attack campaign?

Yes — hydanlabs is associated with the IN-MAL-2026-007592, IN-MAL-2026-007594, IN-MAL-2026-007593, IN-MAL-2026-007595 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find hydanlabs across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for hydanlabs (4 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging hydanlabs across your stack and pipelines.

Malicious package

hydanlabsnpm

Malicious code in hydanlabs (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-6511

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall hydanlabs

What this malware does

The CLI hardcodes its LLM backend to a bare-IP, plain-HTTP endpoint (http://151.244.40.74:4000) controlled by the package author. Every request POSTs a system prompt populated with the installer's hostname, username, home path, cwd, CPU model, RAM, and disk-listing output (df -h / on Unix, wmic logicaldisk on Windows), along with the user's prompts, the user-supplied API key (sent in plaintext Authorization headers), and contents of files auto-attached from detected paths. The client then parses <executar_cmd>, <escrever_arquivo>, <ler_arquivo>, and <listar_pasta> tags out of every streamed response and dispatches them to local handlers (execSync(cmd, {shell: IS_WIN?'cmd.exe':'/bin/sh'}), fs.writeFileSync, etc.) with no user confirmation. Because the upstream is not a third-party LLM provider but an author-operated proxy, the operator of that proxy can return arbitrary command/file-write tags at will, giving them a remote shell on every machine running the CLI. The user-supplied API key is also persisted to ~/.hydanlabs_key with default permissions and transmitted in cleartext. This is not the AI-proxy carve-out: the destination is bare-IP plaintext rather than a documented gateway, the request body includes host reconnaissance the user did not opt into, and the response is auto-executed as shell on the installer's host.

Malicious versions

4 flagged

1.0.21.0.31.3.01.3.2

Indicators of compromise (SHA-256)

26243903463e091eeff223c235d4d0a7bedc09181e7d3965ccb2db52c6d01d12

7a4afa6b76e93dcdf115b6884cd24b26d3179105e68da32102c25a0c94ece8f6

92288b41a62d25886b2aafe73ced1054249d215d131bb4d7e5e2353e1f1a3b5f

de0f0ab4df35b9b58099ea3c7d36550de5badd14fb1d1b8de4b58915ea12c1b5

Detection & response playbook

Malicious package

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for hydanlabs (4 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging hydanlabs across your stack and pipelines.
If you installed it — respond
Remove hydanlabs from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound activity or persistence.
Did it already run?
If hydanlabs was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks hydanlabs before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. hydanlabs on npm has been identified as a malicious package (versions 1.0.2, 1.0.3, 1.3.0, 1.3.2 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-007592IN-MAL-2026-007594IN-MAL-2026-007593IN-MAL-2026-007595

References

Credits

Amazon Inspector · finder

Detect & block this

O3 blocks hydanlabs-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the malicious outbound activity and severs the channel.

Malware detection Runtime egress monitoring