Which versions of jest-test-plugin-utils are malicious?

The following npm versions of jest-test-plugin-utils are flagged malicious: 1.0.0, 1.0.1, 1.0.2, 1.0.4. Treat any of these as compromised.

How do I remediate jest-test-plugin-utils if I installed it?

Remove jest-test-plugin-utils from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is jest-test-plugin-utils part of a known attack campaign?

Yes — jest-test-plugin-utils is associated with the IN-MAL-2026-006765, IN-MAL-2026-006764, IN-MAL-2026-006766, IN-MAL-2026-006763 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect jest-test-plugin-utils in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking jest-test-plugin-utils and packages like it before any post-install script runs.

Malicious package

jest-test-plugin-utilsnpm

Malicious code in jest-test-plugin-utils (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5896

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall jest-test-plugin-utils

What this malware does

The package advertises itself as a Jest plugin (name: 'jest-test-plugin-utils', description: 'mqtt utils') but ships no Jest or MQTT functionality. Its main entry dist/index.js is a heavily obfuscated 200KB browserify bundle (obfuscator.io fingerprint: 1299-entry rotated string array, decoder wrapper, control-flow flattening; built with the declared devDependency 'gulp-javascript-obfuscator'). After deobfuscation, the only meaningful behavior is a function loadFilbetScriptSilently() (exposed as window.fetchFilbetScript) that creates a <script> element with src='https://cdn.jsdelivr.net/gh/gongben2024/network-security@main/src/filbet.js' and appends it to document.head, executing whatever code the author hosts at that mutable @main branch. The destination repository is named 'network-security' under author 'gongben2024' and is unrelated to the package's stated purpose. Because the reference is to the @main branch (not a pinned commit/tag), the author can change the executed payload at any time without republishing this package. Any application that bundles or imports this module will execute attacker-controlled JavaScript in the browser context, with full access to the host page's DOM, cookies, and storage. The combination of name camouflage, heavy obfuscation, and unpinned remote-script execution is a deliberate supply-chain attack pattern.

Malicious versions

4 flagged

1.0.01.0.11.0.21.0.4

Indicators of compromise (SHA-256)

3f948eff13632557a65152c587b6aa87783e49cf40504aedca8ee15da6ed205e

54c5196f3361da72dfccd2c8abb0caba132415f9907602c5a6ec92d6da2e077f

bb80fa98045e0dd75514425f419aa986e7e57bfa888d8baaa8c5eb0016418f83

f5445eba984ab32829120583a68c6bfc2fa8aec2f875b506c873de598f1d27d1

Frequently asked questions

No. jest-test-plugin-utils on npm has been identified as a malicious package (versions 1.0.0, 1.0.1, 1.0.2, 1.0.4 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-006765IN-MAL-2026-006764IN-MAL-2026-006766IN-MAL-2026-006763

References

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection