Which versions of randomlogs are malicious?

The following npm versions of randomlogs are flagged malicious: 1.2.2, 1.2.3, 1.2.4. Treat any of these as compromised.

How do I remediate randomlogs if I installed it?

randomlogs establishes remote access, so treat any host that installed it as fully compromised. Isolate the machine, remove the package, rotate all credentials it could reach, and rebuild from a trusted image rather than cleaning in place — a backdoor may have planted additional persistence.

I already installed randomlogs — how do I know if it already compromised me?

If randomlogs was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is randomlogs part of a known attack campaign?

Yes — randomlogs is associated with the IN-MAL-2026-003558, IN-MAL-2026-003569, IN-MAL-2026-003568, GHSA-6x8j-5cx8-5qv6 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find randomlogs across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for randomlogs (3 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging randomlogs across your stack and pipelines.

Malicious package

randomlogsnpm

Malicious code in randomlogs (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-4657

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall randomlogs

What this malware does

The package's main module (index.js lines 6-10) exports a function mal that opens a TCP socket to 223.229.156.10:5513 and pipes a spawned shell (/bin/sh or cmd.exe) stdin/stdout/stderr through that socket — a textbook reverse shell granting interactive remote control of the calling host to the operator of that IP. The package's own package.json description openly states the package contains malware ("this has a malware and it is only for testing purpose") and presents under a benign-sounding name (randomlogs, advertised as a random-string utility). Any consumer who requires and invokes the exported function hands full shell access on their machine to the hardcoded remote endpoint.

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Malicious versions

3 flagged

1.2.21.2.31.2.4

Indicators of compromise (SHA-256)

06969cf19fda75623b50f7f689eda975ec840e07e95cffada079e82ea1ebc4b7

a048135562639532503e525ad93e23a33184d1a6473c84e0fe7c03dc78ee7402

c085eee0876092131c3f909facc237674fcfb1e02bafbafcb34230c87b3a3819

8eca8cfc258b23cf2a6ee74a7af0c73c30453a1b7427083bbcaa6023fa87d06d

Detection & response playbook

Backdoor / remote access

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for randomlogs (3 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging randomlogs across your stack and pipelines.
If you installed it — respond
randomlogs establishes remote access, so treat any host that installed it as fully compromised. Isolate the machine, remove the package, rotate all credentials it could reach, and rebuild from a trusted image rather than cleaning in place — a backdoor may have planted additional persistence.
Did it already run?
If randomlogs was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks randomlogs before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. randomlogs on npm has been identified as a malicious package (versions 1.2.2, 1.2.3, 1.2.4 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-003558IN-MAL-2026-003569IN-MAL-2026-003568GHSA-6x8j-5cx8-5qv6

References

Credits

Amazon Inspector · finder

Detect & block this

O3 blocks randomlogs-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the C2 callback and severs the channel.

Malware detection Runtime egress monitoring