Which versions of speed4 are malicious?

The following npm versions of speed4 are flagged malicious: 1.1.7. Treat any of these as compromised.

How do I remediate speed4 if I installed it?

Remove speed4 from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is speed4 part of a known attack campaign?

Yes — speed4 is associated with the IN-MAL-2026-006859 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect speed4 in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking speed4 and packages like it before any post-install script runs.

Malicious package

speed4npm

Malicious code in speed4 (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5938

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall speed4

What this malware does

[email protected] is part of a self-cloning namespace-squatting family. The tarball contains auto-publish.sh which sets BASE="speed", TOTAL=5, copies the package contents into tmp_speedN directories, rewrites package.json.name to speed1..speed5, and runs npm publish --silent for each variant. Nested leftover directories tmp_speed3/tmp_speed2/tmp_speed1/ shipped inside the tarball confirm the script has been executed at least three times and that all five speedN packages distribute identical content. Package metadata is consistent with a squat: generic short name, "description": "package", empty author field. The served content is a deceptive HTML page (index.html) that advertises a 'Riverbend Tutoring' brand while registering first-gesture click/keydown/touchstart handlers that call window.open('https://abdct.com/', '_blank', 'noreferrer') to redirect visitors to an unrelated third-party domain. The tarball additionally bundles a dozen heavily obfuscated JavaScript assets under assets/ (hex-identifier renamed, single-line minified) duplicated across the nested clone directories. Installing or pulling this package into a build hands the consumer an attacker-controlled deceptive payload bundled under multiple confusable short names on the registry.

Malicious versions

1 flagged

1.1.7

Indicators of compromise (SHA-256)

979f38f25a707a09a4469b3dd0f24c603e2d9a195eaaa9b2a9ea3d84076dc9d0

Frequently asked questions

No. speed4 on npm has been identified as a malicious package (version 1.1.7 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-006859

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection