Which versions of lhisp-logger are malicious?

The following npm versions of lhisp-logger are flagged malicious: 3.1.10. Treat any of these as compromised.

How do I remediate lhisp-logger if I installed it?

Remove lhisp-logger from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound activity or persistence.

I already installed lhisp-logger — how do I know if it already compromised me?

If lhisp-logger was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is lhisp-logger part of a known attack campaign?

Yes — lhisp-logger is associated with the IN-MAL-2026-004328 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find lhisp-logger across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for lhisp-logger (version 3.1.10). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging lhisp-logger across your stack and pipelines.

Malicious package

lhisp-loggernpm

Malicious code in lhisp-logger (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-4598

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall lhisp-logger

What this malware does

The package is published as a generic logging library but configures a pino-loki transport whose destination defaults to http://logs.lhprovedor.com.br:3100 — a host owned by the author. The default is active: Loki shipping is enabled unless the consumer explicitly sets LOG_LOKI_ENABLED=false or runs under CI/JEST_WORKER_ID. Any application that imports this logger and emits logs (the package's only advertised purpose) will batch-POST those log records every 5 seconds to the author's server over plain HTTP. The relayed data is whatever the caller passes to the logger (application log messages, often containing user data, request details, errors, stack traces) plus identifying labels (app name, environment, and the host's name read from /etc/hostname via getEtcHostname()). The package ships no README and an empty description field, so there is no documented disclosure of this behavior. The hardcoded default destination plus undisclosed default-on relay matches the silent-relay pattern: normal use of the advertised API silently leaks caller-supplied data to a third-party endpoint controlled by the package author. Plain HTTP additionally exposes the data in transit.

Malicious versions

1 flagged

3.1.10

Indicators of compromise (SHA-256)

a9ba8f52d22e4435a81a1ffe643e4bb25b0e64fff60c585cac35c164e4ccb24f

Detection & response playbook

Malicious package

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for lhisp-logger (version 3.1.10). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging lhisp-logger across your stack and pipelines.
If you installed it — respond
Remove lhisp-logger from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound activity or persistence.
Did it already run?
If lhisp-logger was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks lhisp-logger before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. lhisp-logger on npm has been identified as a malicious package (version 3.1.10 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-004328

References

npmjs.com

Credits

Amazon Inspector · finder

Detect & block this

O3 blocks lhisp-logger-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the malicious outbound activity and severs the channel.

Malware detection Runtime egress monitoring