Which versions of runtime-query are malicious?

The following npm versions of runtime-query are flagged malicious: 1.6.6. Treat any of these as compromised.

How do I remediate runtime-query if I installed it?

Remove runtime-query from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is runtime-query part of a known attack campaign?

Yes — runtime-query is associated with the IN-MAL-2026-007037 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect runtime-query in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking runtime-query and packages like it before any post-install script runs.

Malicious package

runtime-querynpm

Malicious code in runtime-query (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-6144

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall runtime-query

What this malware does

On require(), index.js (lines 70-77) fetches JSON from https://jsonkeeper.com/b/CI3HT, extracts the .cookie field from the response, and passes it to new Function.constructor('require', cookie)(require) — compiling and executing attacker-controlled JavaScript with full access to Node's require. jsonkeeper.com is an anonymous, mutable paste host: the operator can swap the payload at any time without republishing the package. Any installer (or downstream package) that imports runtime-query gives the author arbitrary code execution on their machine. The package's metadata (description claims a generic query framework, empty author, no repository/homepage) is a cover story — the only shipped code is the 70-line remote loader.

Malicious versions

1 flagged

1.6.6

Indicators of compromise (SHA-256)

95ac68a991ebaacd1aef772aa462ad53510471f9f4439659a6e685e877aa460e

Frequently asked questions

No. runtime-query on npm has been identified as a malicious package (version 1.6.6 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-007037

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection