Which versions of ratelimitsucks6 are malicious?

The following npm versions of ratelimitsucks6 are flagged malicious: 1.1.7. Treat any of these as compromised.

How do I remediate ratelimitsucks6 if I installed it?

Remove ratelimitsucks6 from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is ratelimitsucks6 part of a known attack campaign?

Yes — ratelimitsucks6 is associated with the IN-MAL-2026-007010 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect ratelimitsucks6 in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking ratelimitsucks6 and packages like it before any post-install script runs.

Malicious package

ratelimitsucks6npm

Malicious code in ratelimitsucks6 (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-6136

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall ratelimitsucks6

What this malware does

ratelimitsucks6 is one variant in a numerically-iterated family (ratelimitsucks1, ratelimitsucks2,...) generated by auto-publish.sh shipped inside the tarball. That script is an infinite loop that rewrites package.json's name field to ${BASE_NAME}${COUNT} and runs npm publish --silent for each variant — attacker auto-publication infrastructure accidentally included with the release. Package metadata is deceptive: description is just "package", author is empty, and the package name has no relation to the shipped contents. The tarball ships a full Scramjet web-proxy runtime (sw.js + 8cfc2/hgshm.js, 180 KB), twelve heavily-obfuscated JS bundles under assets/ (hex-mangled identifiers throughout), and an index.html cloaked as "Riverbend Tutoring" that loads a third-party script from cdn.21baseballacademy.com and opens https://abdct.com/ in a new window on the first user interaction. No npm lifecycle hooks are declared and main: sw.js calls importScripts() which is undefined in Node, so the package does not auto-execute on npm install or require(). The harm is registry pollution and namespace abuse: the publisher is flooding npm with iterated lure names hosting an obfuscated browser-side proxy/redirector payload.

Malicious versions

1 flagged

1.1.7

Indicators of compromise (SHA-256)

c9f1a5d26cc0e6845ca6fae686a98462270a61b1d97d9ceb834f5046808ffdd0

Frequently asked questions

No. ratelimitsucks6 on npm has been identified as a malicious package (version 1.1.7 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-007010

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection