Which versions of metavu are malicious?

The following npm versions of metavu are flagged malicious: 99.21.1-1.21.127, 99.21.1-1.21.199. Treat any of these as compromised.

How do I remediate metavu if I installed it?

Remove metavu from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is metavu part of a known attack campaign?

Yes — metavu is associated with the IN-MAL-2026-006982, IN-MAL-2026-006977 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect metavu in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking metavu and packages like it before any post-install script runs.

Malicious package

metavunpm

Malicious code in metavu (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-6132

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall metavu

What this malware does

package.json declares preinstall: node index.js, which fires automatically on npm install. index.js collects hostname, platform, architecture, home directory, username/uid/gid/shell, OS details, the output of whoami and id, and the current working directory, then POSTs the JSON payload to a hardcoded collector URL https://webhook.site/4f54203c-996c-4f52-b136-ef9b1fd0f64d/detox56 (index.js:7, index.js:108). The package has no functional code — empty author, empty description, and a bizarre version string 99.21.1-1.21.199 consistent with a throwaway dependency-confusion / recon probe. Installing this package leaks installer identity and host fingerprint to an attacker-controlled collector, enabling targeted follow-on attacks against the developer or build environment.

Malicious versions

2 flagged

99.21.1-1.21.12799.21.1-1.21.199

Indicators of compromise (SHA-256)

b831ebbecee413d046d8e4ed8d9b21c3d2a6e4b71350c714535eeefaeccb1a6a

fc05e6833390f96b1a53f5d1612e613436e5002673da2f7a8c1e8e9f9f41c525

Frequently asked questions

No. metavu on npm has been identified as a malicious package (versions 99.21.1-1.21.127, 99.21.1-1.21.199 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-006982IN-MAL-2026-006977

References

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection