What does the naughty-package malware do?

The package naughty-package was found to contain malicious code. The OpenSSF Package Analysis project identified 'naughty-package' @ 1.0.8 (npm) as malicious. It is considered malicious because: - The package communicates with a domain associated with malicious activity. - The package executes one or more commands associated with malicious behavior.

Which versions of naughty-package are malicious?

The following npm versions of naughty-package are flagged malicious: 1.0.2, 1.0.5, 1.0.7, 1.0.8. Treat any of these as compromised.

How do I remediate naughty-package if I installed it?

Remove naughty-package from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound activity or persistence.

I already installed naughty-package — how do I know if it already compromised me?

If naughty-package was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

How do I find naughty-package across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for naughty-package (4 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging naughty-package across your stack and pipelines.

Malicious package

naughty-packagenpm

Malicious code in naughty-package (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-1093

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall naughty-package

What this malware does

The package naughty-package was found to contain malicious code.

The OpenSSF Package Analysis project identified 'naughty-package' @ 1.0.8 (npm) as malicious.

It is considered malicious because:

The package communicates with a domain associated with malicious activity.
The package executes one or more commands associated with malicious behavior.

Malicious versions

4 flagged

1.0.21.0.51.0.71.0.8

Indicators of compromise (SHA-256)

0468ae18d44d78c000a973ca7dfb090efc540fc1792b894ee063d4441a306d27

f541502f67ae3fc0e3558f52fb3e24b3857ab7bae8d0f8b45dc077d4d06ea0f7

3f2978c5764d97f06a66498d08fcf2247067741751489b580cf6455a81e71c83

5aceae5939d76701462dc3f742b492456510e7ff96510671e83e8de93850ab10

e32166479d2212b7384d2011adc8496c59347f7af8af2fdae6de9dd13c6f5b0d

Detection & response playbook

Malicious package

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for naughty-package (4 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging naughty-package across your stack and pipelines.
If you installed it — respond
Remove naughty-package from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound activity or persistence.
Did it already run?
If naughty-package was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks naughty-package before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. naughty-package on npm has been identified as a malicious package (versions 1.0.2, 1.0.5, 1.0.7, 1.0.8 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Credits

Amazon Inspector · finder
OpenSSF: Package Analysis · finder

Detect & block this

O3 blocks naughty-package-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the malicious outbound activity and severs the channel.

Malware detection Runtime egress monitoring

naughty-packagenpm

What this malware does

Malicious versions

Indicators of compromise (SHA-256)

Detection & response playbook

Find it

If you installed it — respond

Did it already run?

How O3 protects you

Frequently asked questions

Credits

Detect & block this