Which versions of muaddib-scanner are malicious?

The following npm versions of muaddib-scanner are flagged malicious: 2.11.41. Treat any of these as compromised.

How do I remediate muaddib-scanner if I installed it?

muaddib-scanner is a typosquat — you almost certainly intended a legitimately-named package. Remove muaddib-scanner, install the correct package, and rotate any secrets exposed during the install since post-install scripts may have already run.

I already installed muaddib-scanner — how do I know if it already compromised me?

If muaddib-scanner was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is muaddib-scanner part of a known attack campaign?

Yes — muaddib-scanner is associated with the IN-MAL-2026-004623 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find muaddib-scanner across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for muaddib-scanner (version 2.11.41). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging muaddib-scanner across your stack and pipelines.

Malicious package

muaddib-scannernpm

Malicious code in muaddib-scanner (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-4616

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall muaddib-scanner

What this malware does

package.json declares "loadash": "^1.0.0" as a runtime dependency. loadash is a well-known typosquat of lodash and is never required or imported anywhere in this package's source — the dependency is unused by the scanner itself. Every installer of this package pulls loadash@^1.0.0 into their node_modules transitively, executing whatever code that namesquat ships. The remaining static signals on this package (curl/ping/POST/child_process/https patterns across src/scanner/, src/ioc/, src/rules/, src/ml/, src/sandbox/) are consistent with the package's stated purpose (a supply-chain security scanner that inspects other packages' lifecycle scripts, fetches package metadata from registry.npmjs.org, and analyzes IOC patterns like curl http://evil.com as data); literal strings like curl http://evil.com and $(whoami) appear as detection rule examples, not as executed commands. The block is on the namespace-abuse vector — a security tool has no legitimate reason to ship an unused typosquat dependency, and installers should not silently acquire it.

Malicious versions

1 flagged

2.11.41

Indicators of compromise (SHA-256)

c8eea5d3ed390c4c82b5bfa89ac220f1d424fcaebe70fe71bbbe3bce66f0f48f

Detection & response playbook

Typosquat

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for muaddib-scanner (version 2.11.41). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging muaddib-scanner across your stack and pipelines.
If you installed it — respond
muaddib-scanner is a typosquat — you almost certainly intended a legitimately-named package. Remove muaddib-scanner, install the correct package, and rotate any secrets exposed during the install since post-install scripts may have already run.
Did it already run?
If muaddib-scanner was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks muaddib-scanner before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. muaddib-scanner on npm has been identified as a malicious package (version 2.11.41 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-004623

References

npmjs.com

Credits

Amazon Inspector · finder

Detect & block this

O3 blocks muaddib-scanner-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the malicious outbound activity and severs the channel.

Malware detection Runtime egress monitoring