Which versions of metrics-pipeline-d8k2 are malicious?

The following npm versions of metrics-pipeline-d8k2 are flagged malicious: 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5. Treat any of these as compromised.

How do I remediate metrics-pipeline-d8k2 if I installed it?

Remove metrics-pipeline-d8k2 from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is metrics-pipeline-d8k2 part of a known attack campaign?

Yes — metrics-pipeline-d8k2 is associated with the IN-MAL-2026-006723, IN-MAL-2026-006726, IN-MAL-2026-006722, IN-MAL-2026-006724, IN-MAL-2026-006727, IN-MAL-2026-006725 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect metrics-pipeline-d8k2 in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking metrics-pipeline-d8k2 and packages like it before any post-install script runs.

Malicious package

metrics-pipeline-d8k2npm

Malicious code in metrics-pipeline-d8k2 (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5858

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall metrics-pipeline-d8k2

What this malware does

Package declares "postinstall": "node run.js" in package.json, causing automatic execution of bundled beacon scripts on npm install. beacon29.js loads child_process, https, and fs, reads files via fs.readFileSync and reads process.env, gathers host identity (process.platform), and POSTs/GETs the data to remote endpoints; it also references https://registry.npmjs.org and https://npm.pkg.github.com, consistent with credential/token harvesting and potential self-propagation through registry APIs. beacon_linux.js mirrors the pattern on Linux: require('child_process') + require('http') + os.hostname() + os.platform() followed by http.request(...) POST to a remote host. The package's stated 'metrics pipeline' name is a cover; the only behavior on install is host fingerprinting and outbound exfiltration. Installing this package on a developer or CI machine causes immediate compromise: environment variables (which commonly hold cloud and CI tokens), file contents, and host identifiers are sent to attacker-controlled infrastructure without user interaction.

Malicious versions

6 flagged

1.0.01.0.11.0.21.0.31.0.41.0.5

Indicators of compromise (SHA-256)

01ad2ee3d3807102a3f02c01af0d3fec46d91e9764eb77a8bcedf9c6be7fc3b0

54c1af327fbf53a18b26a293093ff11b2ac19e346468fca66ff083166972dc7f

5b0d9377de514d01f4b2c4007ca1d7dfd5787ab72c185eb74a6f4f53ac1658ba

89a516af939e2a8520621d9ef7f847517da94269623a71aea9f2f00d3188a954

c113970b47b623dedfa59e8ff71bf20bfca793e1e1d9ff76b29eca1bf674dc9f

3a44ea64194cd8e1b678076116fadf8bc05e764bb8d478c72266cd0bf3874da4

Frequently asked questions

No. metrics-pipeline-d8k2 on npm has been identified as a malicious package (versions 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-006723IN-MAL-2026-006726IN-MAL-2026-006722IN-MAL-2026-006724IN-MAL-2026-006727IN-MAL-2026-006725

References

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection