Which versions of npm-sandbox-research-g3h4 are malicious?

The following npm versions of npm-sandbox-research-g3h4 are flagged malicious: 1.0.0. Treat any of these as compromised.

How do I remediate npm-sandbox-research-g3h4 if I installed it?

Remove npm-sandbox-research-g3h4 from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is npm-sandbox-research-g3h4 part of a known attack campaign?

Yes — npm-sandbox-research-g3h4 is associated with the IN-MAL-2026-006459, IN-MAL-2026-006460 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect npm-sandbox-research-g3h4 in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking npm-sandbox-research-g3h4 and packages like it before any post-install script runs.

Malicious package

npm-sandbox-research-g3h4npm

Malicious code in npm-sandbox-research-g3h4 (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5763

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall npm-sandbox-research-g3h4

What this malware does

On install, package.json's postinstall hook executes run.js. The package ships beacon15.js and beacon_linux.js, which import child_process, os, and http and issue outbound HTTP requests carrying host identifiers. beacon_linux.js reads os.hostname() and os.platform() and POSTs them via http.request(); beacon15.js similarly issues GET/http.request() calls referencing host id fields. The combination of a lifecycle hook that runs on every install plus modules that collect host metadata and beacon it outbound matches an install-time host-exfiltration / C2 callback pattern with no legitimate documented purpose.

Malicious versions

1 flagged

1.0.0

Indicators of compromise (SHA-256)

5e119a878730c42d27b9ec21adae1cbc6e044f1d6703c152010b5261647f1a3a

6df6ab545cb5891153281962879a70b15df1e9e9fb6e404ca7c9dc33e773dfab

Frequently asked questions

No. npm-sandbox-research-g3h4 on npm has been identified as a malicious package (version 1.0.0 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-006459IN-MAL-2026-006460

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection