Which versions of setka-editor are malicious?

The following npm versions of setka-editor are flagged malicious: 999.0.0. Treat any of these as compromised.

How do I remediate setka-editor if I installed it?

Remove setka-editor from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is setka-editor part of a known attack campaign?

Yes — setka-editor is associated with the IN-MAL-2026-006740 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect setka-editor in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking setka-editor and packages like it before any post-install script runs.

Malicious package

setka-editornpm

Malicious code in setka-editor (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5859

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall setka-editor

What this malware does

package.json registers both preinstall and postinstall lifecycle hooks that run node callback.js, which executes automatically on npm install. callback.js collects installer-side identity and environment data — username, uid/gid, homedir, hostname, platform, cwd, local network interfaces, external IP via api.ipify.org, Node version, and CI/secret-presence flags (AWS_ACCESS_KEY_ID, GITHUB_TOKEN, NPM_TOKEN, DOCKER_PASSWORD) — and POSTs the result to a hardcoded Discord webhook (https://discord.com/api/webhooks/1516163806559076442/...). A DNS-based exfiltration fallback is also implemented. The package self-identifies as a dependency-confusion PoC and is published at version 999.0.0 to outrank private-registry packages of the same name; any build pipeline that resolves setka-editor from the public npm registry will execute the callback and leak the listed data. Regardless of stated research intent, the install-time exfiltration of installer host data and CI secret-presence flags to an attacker-controlled Discord endpoint is a real supply-chain attack against any pipeline that resolves this name.

Malicious versions

1 flagged

999.0.0

Indicators of compromise (SHA-256)

a9dd5cda5d5a0925c139a36f0ea4c69b96052ff203d7dc365ac119408ba76069

Frequently asked questions

No. setka-editor on npm has been identified as a malicious package (version 999.0.0 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-006740

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection