Which versions of nw-demo are malicious?

The following npm versions of nw-demo are flagged malicious: 100.20.33. Treat any of these as compromised.

How do I remediate nw-demo if I installed it?

Remove nw-demo from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is nw-demo part of a known attack campaign?

Yes — nw-demo is associated with the IN-MAL-2026-003512, IN-MAL-2026-003511, GHSA-hmxw-6c9h-v2h2 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect nw-demo in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking nw-demo and packages like it before any post-install script runs.

Malicious package

nw-demonpm

Malicious code in nw-demo (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-4624

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall nw-demo

What this malware does

Package is published publicly on npm at version 100.20.33 — a version-number shape used in dependency-confusion attacks to outrank private internal packages of the same name. The package.json claims authorship by 'Atlassian Ecosystem Engineering' and describes itself as an 'Atlassian internal demonstration and utility framework', but the package is published to the public registry under no Atlassian-owned scope. The main entry index.js contains only try { require('nw-demo-utils'); } catch (e) { } — its sole behavior on import is to silently load and execute a separately-published transitive dependency (nw-demo-utils ^1.0.16), with errors swallowed to hide failures. The README instructs consumers to require('nw-demo'), which transitively executes nw-demo-utils' module-load code in the installer's process. The wrapper itself ships no payload; it functions as a loader that laundries arbitrary code from nw-demo-utils into any pipeline that mistakenly resolves the public package over a private internal one.

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Malicious versions

1 flagged

100.20.33

Indicators of compromise (SHA-256)

03e57536309b6677744ada28c811992c031dceaae52bd012f338594e0d15fef5

5e3ff057a42800ad78024ac1c48e0d6fbf9c828eb828a41e6737c32b6174ce8c

a8b0000bbe860e0be3251c1f9d4909f0f7c7f752e64fd9f49c9f728efac5c633

Frequently asked questions

No. nw-demo on npm has been identified as a malicious package (version 100.20.33 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-003512IN-MAL-2026-003511GHSA-hmxw-6c9h-v2h2

References

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection