Which versions of npm-sandbox-research-9c4e are malicious?

The following npm versions of npm-sandbox-research-9c4e are flagged malicious: 1.0.0. Treat any of these as compromised.

How do I remediate npm-sandbox-research-9c4e if I installed it?

Remove npm-sandbox-research-9c4e from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is npm-sandbox-research-9c4e part of a known attack campaign?

Yes — npm-sandbox-research-9c4e is associated with the IN-MAL-2026-006458, IN-MAL-2026-006461 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect npm-sandbox-research-9c4e in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking npm-sandbox-research-9c4e and packages like it before any post-install script runs.

Malicious package

npm-sandbox-research-9c4enpm

Malicious code in npm-sandbox-research-9c4e (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5759

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall npm-sandbox-research-9c4e

What this malware does

On install, package.json runs node run.js via a postinstall lifecycle hook. The package ships beacon scripts (beacon9.js, beacon_linux.js) that import child_process, os, and http, collect host identity (os.hostname(), os.platform()) and issue outbound HTTP POST/GET requests. This is the canonical install-time host beacon / command-execution shape: arbitrary code runs on the installer's machine via npm install, host fingerprints are emitted over the network, and child_process is available to execute received instructions. The package name (npm-sandbox-research-*) and shipped contents are inconsistent with any legitimate library purpose.

Malicious versions

1 flagged

1.0.0

Indicators of compromise (SHA-256)

24c86d7d2179375f642423fc8c38f58f5740b543bacab149ba8d4cbdcd7dc4cf

ec025527f85ede469daba4142e2a4a93d2a2af95bc5804a7aceaf2fd270ade88

Frequently asked questions

No. npm-sandbox-research-9c4e on npm has been identified as a malicious package (version 1.0.0 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-006458IN-MAL-2026-006461

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection