Which versions of mddriver are malicious?

The following npm versions of mddriver are flagged malicious: 1.8.2, 1.8.3, 1.8.4, 1.8.5, 1.8.6. Treat any of these as compromised.

How do I remediate mddriver if I installed it?

Remove mddriver from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Can O3 Security detect mddriver in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking mddriver and packages like it before any post-install script runs.

Malicious package

mddrivernpm

Malicious code in mddriver (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5791

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall mddriver

What this malware does

On require('mddriver'), an IIFE in index.js invokes loadTokenData(), which fetches https://www.jsonkeeper.com/b/C4H0M (stored base64-encoded as "aHR0cHM6Ly93d3cuanNvbmtlZXBlci5jb20vYi9DNEgwTQ==" and decoded with atob), parses the JSON response, and passes the.content field to a Function-constructor evaluator (new (Function.contructor)(...)) for execution. The paste-style host is anonymous and the fetched content is fully mutable — any consumer that imports this package executes whatever JavaScript the operator of that paste serves at that moment, with no signature, hash, or pinning. The package metadata advertises 'MongoDB connection driver' but the shipped index.js is a verbatim copy of Node's built-in path module with the dropper appended; the name 'mddriver' and the misleading description are consistent with a typosquat targeting developers searching for mongodb / mongoose drivers.

Malicious versions

5 flagged

1.8.21.8.31.8.41.8.51.8.6

Indicators of compromise (SHA-256)

0ee35202550715cbac37d68d73bc21d03bb77ce6bc0344d35cc888ec9d7386b6

23788efca2b8bfdbba9ddfb832302d51900d1e8b76cc086d8de20a4d10788830

2fba277e47ff86cbf1157c8ea6f1e99c0f929e75676f080b335174a90b7fe299

5a5b264d05ffaf76e8be2d7a46cb2277211a045fa15e8c510ab60cdd5c5bae56

60df6c04caff9968ec7a4c511213425653f6c3ce4a4bb49f41c8e22360de7eb3

c647b8cad06488430fd2c7f37b2ace1d9ddfef7cad74bd8fa0b07905c7eb480f

d65de0c9e338c91580589a2b878860289cf0d49760d4770d4eca8f3df78b29b5

5c7ab6a385ebd75263a4c570d3b7214acc1d6e61a9c8fb4788e9e08fabd766f1

8f806e408e1e61e839b6c693dd719dd5f5f3e7b26f5f5a5149d8085e7997df06

cc2cfb53823d22e1d06e31d506013143409583d37f05815c099555ddf2790f89

Frequently asked questions

No. mddriver on npm has been identified as a malicious package (versions 1.8.2, 1.8.3, 1.8.4, 1.8.5, 1.8.6 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-006518IN-MAL-2026-006523IN-MAL-2026-006519IN-MAL-2026-006520IN-MAL-2026-006522IN-MAL-2026-006517IN-MAL-2026-006526IN-MAL-2026-006524IN-MAL-2026-006521IN-MAL-2026-006525

References

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection