Which versions of node-stack-frames are malicious?

The following npm versions of node-stack-frames are flagged malicious: 4.0.0. Treat any of these as compromised.

How do I remediate node-stack-frames if I installed it?

Remove node-stack-frames from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is node-stack-frames part of a known attack campaign?

Yes — node-stack-frames is associated with the IN-MAL-2026-006317, IN-MAL-2026-006318 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect node-stack-frames in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking node-stack-frames and packages like it before any post-install script runs.

Malicious package

node-stack-framesnpm

Malicious code in node-stack-frames (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5736

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall node-stack-frames

What this malware does

package.json declares a preinstall script that runs an inline Node program on npm install. The script requires os and http, collects os.hostname(), os.platform(), and os.arch(), base64-encodes the result, and issues an HTTP GET to https://d8lslmi9io6i264ftj80mh9e7niqiaenf.oast.live/?data=<encoded>. The host is a Project Discovery interactsh (OAST) subdomain used as an out-of-band collection endpoint. The package ships no functional code — its own description identifies it as a security holding placeholder — so the only effect of installing it is the automatic exfiltration of installer host identifiers to an attacker-controlled collector. This matches a dependency-confusion / recon beacon pattern.

Malicious versions

1 flagged

4.0.0

Indicators of compromise (SHA-256)

5fd4f6c5f3278484d99f6ffffc001cf920dcb0fa4fdfabff957a61c3cfbfc158

eb14f033b6997244fdd890fbfacba9c82a164fd26a201cc39ee76408d70f208e

Frequently asked questions

No. node-stack-frames on npm has been identified as a malicious package (version 4.0.0 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-006317IN-MAL-2026-006318

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection