Which versions of js-shared-modules are malicious?

The following npm versions of js-shared-modules are flagged malicious: 1.11.7. Treat any of these as compromised.

How do I remediate js-shared-modules if I installed it?

Remove js-shared-modules from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is js-shared-modules part of a known attack campaign?

Yes — js-shared-modules is associated with the IN-MAL-2026-006206, IN-MAL-2026-006207 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect js-shared-modules in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking js-shared-modules and packages like it before any post-install script runs.

Malicious package

js-shared-modulesnpm

Malicious code in js-shared-modules (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5098

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall js-shared-modules

What this malware does

package.json declares "postinstall": "node poc.js", which fires automatically on every npm install. poc.js reads os.hostname(), hex-encodes it, and issues an HTTPS GET to zcpesvvighyuzqlzkqgdydwp9jn54hfeg.oast.fun (an Interactsh out-of-band callback host), exfiltrating the installer's hostname to a third-party canary. The package has no legitimate functionality — index.js is an empty module.exports = {} and the source banner self-identifies as a dependency-confusion proof-of-concept squatting a generic internal-style name (js-shared-modules) to shadow a private package. Any installer who resolves this public package leaks their host identity to the canary domain.

The OpenSSF Package Analysis project identified 'js-shared-modules' @ 1.11.7 (npm) as malicious.

It is considered malicious because:

The package communicates with a domain associated with malicious activity.

Malicious versions

1 flagged

1.11.7

Indicators of compromise (SHA-256)

adff3edac3c3ba1c04ba273f77d51c95d153b4e027ec4809b3d2f3c74a712a92

b5d28882e3ff8afe78db631ca5e1129d2b08f976f17f66ffe2b14834184ce09a

049751b3dab69252bcd81a407ac98a3bafb4efade81a2428d2bd858ca2a7c7b2

Frequently asked questions

No. js-shared-modules on npm has been identified as a malicious package (version 1.11.7 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-006206IN-MAL-2026-006207

References

npmjs.com

Credits

Amazon Inspector · finder
OpenSSF: Package Analysis · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection