Which versions of sam-package are malicious?

The following npm versions of sam-package are flagged malicious: 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7. Treat any of these as compromised.

How do I remediate sam-package if I installed it?

Remove sam-package from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Can O3 Security detect sam-package in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking sam-package and packages like it before any post-install script runs.

Malicious package

sam-packagenpm

Malicious code in sam-package (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5807

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall sam-package

What this malware does

On require()/bundle load, index.js collects userAgent, location, document.cookie, localStorage, sessionStorage, referrer, and the runtime globals window.TINES_CONFIG and window.APP_CONFIG, then POSTs the payload to https://webhooksite.net/206fe563-3cfb-42fc-b589-b8b748b4c640 with mode:'no-cors' (index.js line 13). The README advertises only a trivial greet() helper; the exported greet is a stub (get: () => {}) that does not match the documented API. The targeted probing of window.TINES_CONFIG (Tines SOAR runtime config) together with cookie/localStorage theft and a hardcoded webhook sink is a session/credential harvester aimed at users who load this package in a browser bundle, particularly Tines automation environments. package.json also declares "postinstall": "node postinstall.js" but postinstall.js is absent from the tarball — install fails today, but the hook is scaffolding for a future install-time payload.

Malicious versions

8 flagged

1.0.01.0.11.0.21.0.31.0.41.0.51.0.61.0.7

Indicators of compromise (SHA-256)

01d3dc6c24eb3d2834652d6b51deb521f5630f0d5e09dd7d642ef8539cd7b501

a7a62e8eb912e1236fe3145e173ff0d4d997f7e946e9bcda25eb4d5130bf4845

be7c9ba7eceb9710e5c0b4d8aaa0c025ced914e2286699c2bb8a869f6df2c7f5

fcba4ad482db91de8693bc6fbe3485c07047e3cc8491df95e8d805597d5a9bb5

246b1998cf7a410b007982ce134ab6bc571d5bd9c4fec8f5bbd35fecd505f53d

2f72005fa8e33092f24cc01717ead3f6a39a83ec9df95a276076ca263c522347

8814b2d8b4fda85ed5095047729abf762e3b692d370da140513ec19de2cd8386

8f3bcc990f61bfd41831c63c38c913f9d97e34616ca1aca6c0dd5cca97ba481a

a550a8f24918ad369b624eae22715f94bc3e06a59ce573253436e981ae67d73a

d7eb44706f0ed0f784bc58986a642c9fca08c859abc390871d9ffbe3e313ac5f

f22c861bc00b86fce320173b66e9313e9684457b1164ec63140395eed61bfed0

5cf74db5c3d7547d1ef6f9bdc61d97667fb72974e3a0d1d2ccfc0b3d404dcaaf

Frequently asked questions

No. sam-package on npm has been identified as a malicious package (versions 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-006621IN-MAL-2026-006623IN-MAL-2026-006624IN-MAL-2026-006627IN-MAL-2026-006626IN-MAL-2026-006622IN-MAL-2026-006618IN-MAL-2026-006619IN-MAL-2026-006625IN-MAL-2026-006616IN-MAL-2026-006617IN-MAL-2026-006620

References

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection