Which versions of metrics-probe-77d4 are malicious?

The following npm versions of metrics-probe-77d4 are flagged malicious: 1.0.0. Treat any of these as compromised.

How do I remediate metrics-probe-77d4 if I installed it?

Remove metrics-probe-77d4 from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is metrics-probe-77d4 part of a known attack campaign?

Yes — metrics-probe-77d4 is associated with the IN-MAL-2026-006902 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect metrics-probe-77d4 in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking metrics-probe-77d4 and packages like it before any post-install script runs.

Malicious package

metrics-probe-77d4npm

Malicious code in metrics-probe-77d4 (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5982

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall metrics-probe-77d4

What this malware does

On install, package.json runs postinstall: node run.js. run.js imports os, fs, http, https, and child_process and at runtime collects host identifiers (os.hostname(), os.platform()) and reads files from the filesystem (fs.existsSync / fs.readFileSync), then issues outbound HTTP/HTTPS requests including POST calls (run.js lines 322, 329) and GET / http.get fetches (lines 38, 190). The postinstall lifecycle hook causes this code to execute automatically on npm install without consumer interaction, exposing installer host information and local file contents to attacker-controlled network destinations. The package name (random suffix -77d4) and the absence of any documented purpose are consistent with a disposable exfiltration lure rather than a legitimate library.

Malicious versions

1 flagged

1.0.0

Indicators of compromise (SHA-256)

1d079b30dbb30db1a61acddcd094d2e7e67e7ef466d624e4ad2392edc9d9203e

Frequently asked questions

No. metrics-probe-77d4 on npm has been identified as a malicious package (version 1.0.0 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-006902

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection