Which versions of opt-archetype-check are malicious?

The following npm versions of opt-archetype-check are flagged malicious: 9.9.1. Treat any of these as compromised.

How do I remediate opt-archetype-check if I installed it?

Remove opt-archetype-check from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is opt-archetype-check part of a known attack campaign?

Yes — opt-archetype-check is associated with the IN-MAL-2026-006931 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect opt-archetype-check in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking opt-archetype-check and packages like it before any post-install script runs.

Malicious package

opt-archetype-checknpm

Malicious code in opt-archetype-check (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-6075

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall opt-archetype-check

What this malware does

On npm install, the package's postinstall hook executes node index.js, which collects the installer's public IP (via api.ipify.org), hostname, username, platform, current working directory, process id, and Windows domain environment variables (COMPUTERNAME, USERDOMAIN, LOGONSERVER, USERDNSDOMAIN, USERNAME), and POSTs the JSON payload to the hardcoded attacker endpoint http://109.71.252.153:8080/callback over plain HTTP. index.js line 24 hardcodes the callback host (const CALLBACK_HOST = "109.71.252.153";) and line 73 issues the POST to /callback. The file's own header self-identifies as a 'PoC Callback Script — npm Package Takeover'. The package's description ('walmart Application and Middleware Server') and name shape are consistent with dependency-confusion impersonation of internal Walmart tooling — any environment that mistakenly resolves this public package will execute the beacon and leak infrastructure fingerprints to the attacker, providing reconnaissance for follow-on intrusion against the targeted internal namespace.

Malicious versions

1 flagged

9.9.1

Indicators of compromise (SHA-256)

6497b3f44c017bc9ba783cd75e17d4992f79542d8819558da92e152ee4d4471e

Frequently asked questions

No. opt-archetype-check on npm has been identified as a malicious package (version 9.9.1 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-006931

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection