Which versions of node-app-doctor are malicious?

The following npm versions of node-app-doctor are flagged malicious: 1.0.1, 1.0.2, 1.0.9. Treat any of these as compromised.

How do I remediate node-app-doctor if I installed it?

Remove node-app-doctor from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is node-app-doctor part of a known attack campaign?

Yes — node-app-doctor is associated with the IN-MAL-2026-006316, IN-MAL-2026-006315, IN-MAL-2026-006312, IN-MAL-2026-006313, IN-MAL-2026-006311, IN-MAL-2026-006314 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect node-app-doctor in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking node-app-doctor and packages like it before any post-install script runs.

Malicious package

node-app-doctornpm

Malicious code in node-app-doctor (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5733

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall node-app-doctor

What this malware does

collect.js gathers host identifiers via os.hostname() and os.homedir(), reads local filesystem state with fs.existsSync, spawns child_process commands, and POSTs the collected data to the hardcoded endpoint http://aab.sportsontheweb.net. The destination domain is unrelated to any legitimate npm/Node tooling publisher and there is no plausible benign reason for a 'node app doctor' utility to ship installer/host telemetry to that host. The combination of system enumeration (hostname, home directory, child_process), filesystem inspection, and hardcoded plaintext HTTP POST to an unaffiliated domain is the standard host-fingerprint exfiltration shape.

Malicious versions

3 flagged

1.0.11.0.21.0.9

Indicators of compromise (SHA-256)

2672da84038326aef670f6e4b5276bc4d1a2f678d986f0a422858bac2a39f6b5

a36bb51486017eff5ce97b5a6c916f6140e0dd1cbfe3f2686bbeb97c03995395

a675df3cebba84e131f74db241a485e0eea07d89837e6fb9d91aac2342713f08

addccbccd4c3c52cd67098a571ed77a4f55ea2303746f421b22b5bbf175a345e

bb98b7bd393ae33a610f2cb95e294878050d42ba2757be857c34e8a411bfec3a

9c131ec8f08bea5eecdaa826ff4a17588c61dc432ca61ef3658dbe0e6b4aebe8

Frequently asked questions

No. node-app-doctor on npm has been identified as a malicious package (versions 1.0.1, 1.0.2, 1.0.9 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-006316IN-MAL-2026-006315IN-MAL-2026-006312IN-MAL-2026-006313IN-MAL-2026-006311IN-MAL-2026-006314

References

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection