Which versions of sheratan_haha are malicious?

The following npm versions of sheratan_haha are flagged malicious: 1.0.0, 1.0.1. Treat any of these as compromised.

How do I remediate sheratan_haha if I installed it?

Remove sheratan_haha from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is sheratan_haha part of a known attack campaign?

Yes — sheratan_haha is associated with the IN-MAL-2026-006360, IN-MAL-2026-006361, IN-MAL-2026-006359 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect sheratan_haha in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking sheratan_haha and packages like it before any post-install script runs.

Malicious package

sheratan_hahanpm

Malicious code in sheratan_haha (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5739

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall sheratan_haha

What this malware does

On npm install, the package's declared postinstall hook (node postinstall.js) runs whoami on the installer's machine and POSTs the output to a hardcoded webhook.site endpoint (https://webhook.site/0ea9eb45-3ede-4cf0-9ea9-2b8d700272e7) via https.request. The package advertises itself as 'A simple date formatting utility' but ships no library code consistent with that purpose — the only behavior on install is host fingerprinting and exfiltration to an attacker-controlled URL. Metadata is placeholder-shaped (empty author, generic description, name sheratan_haha), consistent with a dependency-confusion / recon PoC. Installing this package leaks the installer's OS username to an external endpoint controlled by the publisher.

Malicious versions

2 flagged

1.0.01.0.1

Indicators of compromise (SHA-256)

5417b03a148421c99e85e5179f9911aadfe5ad30144fa4c3bf0eb1cbd8fc2160

6b473b40e0c041d34e85161ed8c91e0e00d006a0822698a0d3994876cb685ddd

8425e7844278696c1b266519af201afa5e89ef4cf8fa0ad7da38a297fcdbbe2f

Frequently asked questions

No. sheratan_haha on npm has been identified as a malicious package (versions 1.0.0, 1.0.1 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-006360IN-MAL-2026-006361IN-MAL-2026-006359

References

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection