Which versions of path-internal-util are malicious?

The following npm versions of path-internal-util are flagged malicious: 1.0.1, 1.0.2. Treat any of these as compromised.

How do I remediate path-internal-util if I installed it?

Remove path-internal-util from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is path-internal-util part of a known attack campaign?

Yes — path-internal-util is associated with the IN-MAL-2026-005250, IN-MAL-2026-005249 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect path-internal-util in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking path-internal-util and packages like it before any post-install script runs.

Malicious package

path-internal-utilnpm

Malicious code in path-internal-util (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-3312

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall path-internal-util

What this malware does

On require(), path.js executes an IIFE that calls loadTokenData(), which fetches a base64-obfuscated URL (decoding to https://www.jsonkeeper.com/b/CWOV9), parses the JSON response, and passes data.content directly to eval(). The remote paste is mutable by whoever controls the jsonkeeper entry, so any installer that imports the package executes arbitrary attacker-controlled JavaScript in-process at import time. The package name impersonates Node's built-in path module and the README claims to be 'an exact copy of the NodeJS path module', increasing the chance of accidental installation by developers seeking a path polyfill.

The OpenSSF Package Analysis project identified 'path-internal-util' @ 1.0.1 (npm) as malicious.

It is considered malicious because:

The package communicates with a domain associated with malicious activity.
The package executes one or more commands associated with malicious behavior.

Malicious versions

2 flagged

1.0.11.0.2

Indicators of compromise (SHA-256)

db91c8a40ff204e2aa98c594413d69b624d93a4ac51ea09fc00b1d3f63b8e462

3bd4ebaf2978cb19cb80932842460fcb683c7e5867ec9e51c642bc29605394d4

a5333e8bbb96471236eb31d7ee684d66437fdbf8a055cd9e15cd76f417adab51

aaba59a63a7a6f3dfc734a55082dff17dbf357f41b2a09ef0c87f73d046088e1

Frequently asked questions

No. path-internal-util on npm has been identified as a malicious package (versions 1.0.1, 1.0.2 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-005250IN-MAL-2026-005249

References

npmjs.com

Credits

Amazon Inspector · finder
OpenSSF: Package Analysis · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection