Which versions of js-digest are malicious?

The following npm versions of js-digest are flagged malicious: 4.2.2. Treat any of these as compromised.

How do I remediate js-digest if I installed it?

Remove js-digest from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is js-digest part of a known attack campaign?

Yes — js-digest is associated with the IN-MAL-2026-006826 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect js-digest in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking js-digest and packages like it before any post-install script runs.

Malicious package

js-digestnpm

Malicious code in js-digest (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5912

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall js-digest

What this malware does

Package impersonates crypto-js: name is js-digest but package.json carries crypto-js's exact description ("JavaScript library of cryptography standards."), homepage http://github.com/brix/js-digest (brix is the crypto-js org), and author "Evan Vosberg" (the crypto-js maintainer). package.json declares "preinstall": "./lib/install-deps.mjs", but lib/install-deps.mjs is not JavaScript — it is a 3.2 MB Linux x86_64 ELF binary (magic 7F 45 4C 46, sha256 7883bda1ff15425f2dbe622c45a3ae105ddfa6175009bbf0b0cad9bf5c79b316). On npm install, npm's preinstall hook executes this native binary with the installer's privileges before any code is reviewed. Strings extracted from the binary show a multi-platform credential harvester: HTTP requests scraping GitHub (GET /user, /user/repos with Authorization: Bearer...), Slack (POST /api/auth.test with Cookie: d=), Discord, Microsoft Teams (/api/mt/*), and HashiCorp Vault (X-Vault-Token, /v1/...); reads of /.vault-token, /.vault/token, gpg --batch --no-tty --list-keys, and /proc/<pid>/{mem,cmdline,environ}; and multipart POST uploads to remote endpoints. The binary also embeds systemd unit templates ([Unit]/[Service]/ExecStart=.../Restart=always) for both system (/etc/systemd/system/) and user (~/.config/systemd/user/) scopes for persistence, plus libbpf rootkit primitives (bpf_object__open_mem, bpf_map__pin, bpf_program__attach, maps hidden_pids/hidden_inodes/hidden_names, /sys/fs/bpf/) for kernel-level concealment from ps/ls/lsof. Installing this package compromises the host with a persistent, hidden credential stealer.

Malicious versions

1 flagged

4.2.2

Indicators of compromise (SHA-256)

52847ff329757e0777e62c1c060455abc4ddd6f002c295a7f38d0e0489daf76f

Frequently asked questions

No. js-digest on npm has been identified as a malicious package (version 4.2.2 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-006826

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection