Which versions of npmkekw are malicious?

The following npm versions of npmkekw are flagged malicious: 2.0.0, 2.0.1, 2.0.3, 2.0.5. Treat any of these as compromised.

How do I remediate npmkekw if I installed it?

npmkekw establishes remote access, so treat any host that installed it as fully compromised. Isolate the machine, remove the package, rotate all credentials it could reach, and rebuild from a trusted image rather than cleaning in place — a backdoor may have planted additional persistence.

I already installed npmkekw — how do I know if it already compromised me?

If npmkekw was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is npmkekw part of a known attack campaign?

Yes — npmkekw is associated with the IN-MAL-2026-007395, IN-MAL-2026-007393, IN-MAL-2026-007394, IN-MAL-2026-007392 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find npmkekw across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for npmkekw (4 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging npmkekw across your stack and pipelines.

Malicious package

npmkekwnpm

Malicious code in npmkekw (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-6363

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall npmkekw

What this malware does

The package's main module (index.js) exports an init() function that spawns /bin/bash via child_process.exec and opens a TCP socket to the hardcoded remote address 49.13.148.41:443, piping the shell's stdio through the socket — a textbook reverse-shell backdoor giving the operator at that IP interactive command execution on any host that calls init(). Package metadata is consistent with a throwaway attack vehicle: empty description, empty author, non-descriptive name npmkekw, and no other functional code. The payload as shipped contains a typo (references an undefined sh variable and pipes from cp.stdout) so it crashes on first use, but the intent and structure are unambiguous and a one-character fix would make it functional.

Malicious versions

4 flagged

2.0.02.0.12.0.32.0.5

Indicators of compromise (SHA-256)

001543f96749cd3e6896e93ae9d601dcd9c9c7646de0a624e9c9d22f20032df3

bea6f325821de15ed962d2b22f820e53220dcb59004dd436a95cc5f4d0cc26ad

1810d4765039fea883114aab44274ee9a85c80801dd8ed7043de829764a8b14f

74384b76540c8d36fef8a30dc2acd3224defeaa8a58d0155101f2f670aa8b153

Detection & response playbook

Backdoor / remote access

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for npmkekw (4 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging npmkekw across your stack and pipelines.
If you installed it — respond
npmkekw establishes remote access, so treat any host that installed it as fully compromised. Isolate the machine, remove the package, rotate all credentials it could reach, and rebuild from a trusted image rather than cleaning in place — a backdoor may have planted additional persistence.
Did it already run?
If npmkekw was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks npmkekw before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. npmkekw on npm has been identified as a malicious package (versions 2.0.0, 2.0.1, 2.0.3, 2.0.5 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-007395IN-MAL-2026-007393IN-MAL-2026-007394IN-MAL-2026-007392

References

Credits

Amazon Inspector · finder

Detect & block this

O3 blocks npmkekw-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the C2 callback and severs the channel.

Malware detection Runtime egress monitoring