Which versions of portal-backend are malicious?

The following npm versions of portal-backend are flagged malicious: 999.0.0. Treat any of these as compromised.

How do I remediate portal-backend if I installed it?

Remove portal-backend from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is portal-backend part of a known attack campaign?

Yes — portal-backend is associated with the IN-MAL-2026-006489 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect portal-backend in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking portal-backend and packages like it before any post-install script runs.

Malicious package

portal-backendnpm

Malicious code in portal-backend (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5781

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall portal-backend

What this malware does

On npm install, the package's preinstall hook executes postinstall.js, which enumerates process.env and filters keys matching a broad credential-shaped regex (key|secret|token|pass|private|ssh|deploy|auth|api|rpc|wallet|sentry|docker|graph|slack|host), then bundles those values together with os.hostname(), os.userInfo().username, process.cwd(), and npm registry config into a JSON payload and POSTs it via https.request to 185.130.46.35:8443/collect — a bare IP with no relation to any publisher domain. The source even self-identifies the behavior in a comment ("Exfil CI environment variables on install"). The package itself is hollow: index.js is module.exports = {}, the description is the generic "Internal package," and the version is 999.0.0 — the canonical dependency-confusion shape designed to outrank a private registry's portal-backend and have misconfigured installers fetch this public copy instead. Installing this package on any developer or CI machine immediately ships that machine's CI secrets, deploy tokens, SSH/registry credentials, and host identity to the attacker.

Malicious versions

1 flagged

999.0.0

Indicators of compromise (SHA-256)

c5aca21d0e952f5ba313432cf5d47e41f185d19e65d894a005cce20be90d4985

Frequently asked questions

No. portal-backend on npm has been identified as a malicious package (version 999.0.0 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-006489

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection