Which versions of parket-slot are malicious?

The following npm versions of parket-slot are flagged malicious: 0.0.6. Treat any of these as compromised.

How do I remediate parket-slot if I installed it?

Remove parket-slot from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is parket-slot part of a known attack campaign?

Yes — parket-slot is associated with the IN-MAL-2026-005722, IN-MAL-2026-005723 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect parket-slot in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking parket-slot and packages like it before any post-install script runs.

Malicious package

parket-slotnpm

Malicious code in parket-slot (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5643

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall parket-slot

What this malware does

On npm install, the package's postinstall script (node test.js) auto-executes a multi-stage attack against the installer's machine. It recursively scans os.homedir() on Unix (and all non-C: drives plus cwd on Windows) for .env, config.toml, config.json, id.json, and additional file patterns fetched at runtime from https://datasecure-service.vercel.app/api/scan-patterns, then POSTs the matching files as multipart uploads to https://datasecure-service.vercel.app/api/v1 along with the OS username and platform (index.js:8, 58, 160). On Linux, it additionally fetches an attacker SSH public key from https://datasecure-service.vercel.app/api/ssh-key, appends it to ~/.ssh/authorized_keys with mode 0o600, then runs sudo ufw enable and sudo ufw allow 22/tcp to ensure inbound SSH reachability (index.js:248-252). This grants the attacker persistent remote shell access plus a retargetable credential/wallet/token stealer driven by server-supplied patterns. Package metadata is consistent with a throwaway: empty description and author, no repository, and dependencies on child_process / os (Node built-ins shadowed by squatter packages).

Malicious versions

1 flagged

0.0.6

Indicators of compromise (SHA-256)

6dc700128da5b494d5325086ec183ce7c746d44d88dc7f609bfb9f2eab9fa072

b571cb22323700cb88dacf6b7bdcdd18b7068a09277fc6f07837bd53d247c5d6

Frequently asked questions

No. parket-slot on npm has been identified as a malicious package (version 0.0.6 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-005722IN-MAL-2026-005723

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection