Which versions of new-ts-helper are malicious?

The following npm versions of new-ts-helper are flagged malicious: 9.0.2. Treat any of these as compromised.

How do I remediate new-ts-helper if I installed it?

Remove new-ts-helper from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is new-ts-helper part of a known attack campaign?

Yes — new-ts-helper is associated with the IN-MAL-2026-007066 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect new-ts-helper in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking new-ts-helper and packages like it before any post-install script runs.

Malicious package

new-ts-helpernpm

Malicious code in new-ts-helper (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-6227

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall new-ts-helper

What this malware does

index.js imports child_process and at lines 101 and 117 invokes execSync to run bash and zsh commands. Lines 9, 194, and 195 use Buffer.from(..., 'base64').toString() to decode base64-encoded payloads, a common pattern for hiding the actual shell commands from casual review. The combination of base64-decoded strings being fed into execSync calls inside the main module is the canonical shape of an obfuscated runtime payload executor: any caller that requires this package, or any lifecycle/CLI path that loads index.js, will execute attacker-controlled shell commands decoded from the embedded base64 blobs. There is no documented benign reason for a 'helper' package to base64-decode strings and shell them out. Package name (new-ts-helper) also has the shape of a low-effort lure rather than an established TypeScript utility.

Malicious versions

1 flagged

9.0.2

Indicators of compromise (SHA-256)

c3721ae4cecdfa22793382d07d28a25ba5fabd54ac405cb94e642a1f96faee80

Frequently asked questions

No. new-ts-helper on npm has been identified as a malicious package (version 9.0.2 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-007066

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection