Which versions of npm-sandbox-research-e9f0 are malicious?

The following npm versions of npm-sandbox-research-e9f0 are flagged malicious: 1.0.0. Treat any of these as compromised.

How do I remediate npm-sandbox-research-e9f0 if I installed it?

Remove npm-sandbox-research-e9f0 from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is npm-sandbox-research-e9f0 part of a known attack campaign?

Yes — npm-sandbox-research-e9f0 is associated with the IN-MAL-2026-006471, IN-MAL-2026-006470 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect npm-sandbox-research-e9f0 in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking npm-sandbox-research-e9f0 and packages like it before any post-install script runs.

Malicious package

npm-sandbox-research-e9f0npm

Malicious code in npm-sandbox-research-e9f0 (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5762

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall npm-sandbox-research-e9f0

What this malware does

Package declares a postinstall hook ("postinstall": "node run.js") that executes automatically on npm install. The tarball ships beacon scripts (beacon13.js, beacon_linux.js) that combine require('child_process'), require('os'), and require('http')/http.request to gather host identifiers (os.hostname(), os.platform()) and transmit them via HTTP POST/GET requests. This is the canonical install-time host-recon and exfiltration shape: lifecycle hook auto-execution, host enumeration via the os module, command execution capability via child_process, and outbound HTTP. Installing this package causes immediate disclosure of host metadata and provides a code-execution surface on the installer's machine.

Malicious versions

1 flagged

1.0.0

Indicators of compromise (SHA-256)

1356b7c33d092b4655a20e28a21ddd3e6894a0168cf4c03ca3faf91d4535d0ef

a18a9932f78294e22aa0a85077b9318233ab0952bc8788ae8987fce3e5002c93

Frequently asked questions

No. npm-sandbox-research-e9f0 on npm has been identified as a malicious package (version 1.0.0 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-006471IN-MAL-2026-006470

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection