Which versions of quirky-token are malicious?

The following npm versions of quirky-token are flagged malicious: 1.0.2. Treat any of these as compromised.

How do I remediate quirky-token if I installed it?

Remove quirky-token from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is quirky-token part of a known attack campaign?

Yes — quirky-token is associated with the IN-MAL-2026-006904 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect quirky-token in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking quirky-token and packages like it before any post-install script runs.

Malicious package

quirky-tokennpm

Malicious code in quirky-token (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-6066

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall quirky-token

What this malware does

The package is advertised as an SVG sanitizer but exposes an undocumented getPlugin() export whose returned function fetches JSON from https://www.jsonkeeper.com/b/3P9BF and passes the response's model field directly to eval(). jsonkeeper.com is an anonymous, mutable paste host with no pinning, hash, or signature — whoever controls that paste can execute arbitrary JavaScript in the consumer's Node.js process whenever the returned function is invoked. The malicious block in index.js is appended below a plausible SVG sanitizer/minifier implementation that serves as cover, and both the HTTP error branch and the eval try/catch are empty so failures are silently swallowed. This is a classic dropper pattern: benign cover code, undocumented export, fetch-and-eval from a mutable third-party paste, concealment of errors. Any consumer who imports this package and calls getPlugin() grants the paste operator full RCE on the importer's host.

Malicious versions

1 flagged

1.0.2

Indicators of compromise (SHA-256)

b263413912feb72882ee0b52e7025c636ed98472ba90e6db4714b3b111b4e2e8

Frequently asked questions

No. quirky-token on npm has been identified as a malicious package (version 1.0.2 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-006904

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection