Which versions of set-proto-chain are malicious?

The following npm versions of set-proto-chain are flagged malicious: 1.0.3. Treat any of these as compromised.

How do I remediate set-proto-chain if I installed it?

Remove set-proto-chain from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is set-proto-chain part of a known attack campaign?

Yes — set-proto-chain is associated with the IN-MAL-2026-006943 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect set-proto-chain in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking set-proto-chain and packages like it before any post-install script runs.

Malicious package

set-proto-chainnpm

Malicious code in set-proto-chain (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-6079

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall set-proto-chain

What this malware does

lib/index.js contains a base64-encoded URL (decoding to https://jsonkeeper.com/b/BN77K, an anonymous mutable paste host) that is fetched via axios.get; the response's .data.cookie field is then written to the stdin of a detached node child process for execution. The top-level index.js calls getThetaInterface() unconditionally, and package.json declares postinstall: node index.js, so the fetch-and-execute path fires automatically on npm install as well as on require(). The fetched payload is attacker-controlled and can change at any time. The package additionally impersonates the legitimate proto-chain package (README header # proto-chain, runtime error messages referencing require('proto-chain')), making accidental installs more likely.

Malicious versions

1 flagged

1.0.3

Indicators of compromise (SHA-256)

bdb11eef3afbfc268bd48a18737884246861c7ae9e6a3d29901ae1379216c633

Frequently asked questions

No. set-proto-chain on npm has been identified as a malicious package (version 1.0.3 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-006943

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection