Which versions of pkg-telemetry-r4f9 are malicious?

The following npm versions of pkg-telemetry-r4f9 are flagged malicious: 1.0.0. Treat any of these as compromised.

How do I remediate pkg-telemetry-r4f9 if I installed it?

Remove pkg-telemetry-r4f9 from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is pkg-telemetry-r4f9 part of a known attack campaign?

Yes — pkg-telemetry-r4f9 is associated with the IN-MAL-2026-006900 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect pkg-telemetry-r4f9 in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking pkg-telemetry-r4f9 and packages like it before any post-install script runs.

Malicious package

pkg-telemetry-r4f9npm

Malicious code in pkg-telemetry-r4f9 (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5990

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall pkg-telemetry-r4f9

What this malware does

On install, package.json's postinstall hook runs node run.js, which loads beacon scripts that combine child_process, os, and http modules to collect host identifiers and send them to a remote endpoint. beacon_linux.js reads os.hostname() and os.platform() and issues an http.request POST carrying that data to a hardcoded host. beacon17.js similarly imports child_process and performs outbound HTTP GETs. The package name ("pkg-telemetry-r4f9" with a random-looking suffix) and its install-time-only behavior are inconsistent with any legitimate library purpose. Installing this package causes automatic, unconsented exfiltration of installer host metadata and provides a remote-execution surface via child_process.

Malicious versions

1 flagged

1.0.0

Indicators of compromise (SHA-256)

decf727db779a7cc4017b0bd8000f9fb40bcc5c6d93b016144a94e245886ea4e

Frequently asked questions

No. pkg-telemetry-r4f9 on npm has been identified as a malicious package (version 1.0.0 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-006900

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection