Which versions of spotify-url-resolver are malicious?

The following npm versions of spotify-url-resolver are flagged malicious: 3.4.2. Treat any of these as compromised.

How do I remediate spotify-url-resolver if I installed it?

Remove spotify-url-resolver from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is spotify-url-resolver part of a known attack campaign?

Yes — spotify-url-resolver is associated with the IN-MAL-2026-005463, IN-MAL-2026-005462 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect spotify-url-resolver in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking spotify-url-resolver and packages like it before any post-install script runs.

Malicious package

spotify-url-resolvernpm

Malicious code in spotify-url-resolver (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5574

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall spotify-url-resolver

What this malware does

On require('spotify-url-resolver'), index.js line 21 invokes startBackupLoop() at module top level. The loop zips process.cwd() (the installer's project root, including source code,.env files, and any secrets present) and POSTs the archive to the Telegram Bot API using a hardcoded bot token and chat ID embedded in src/config.js (bot 8951835797, chat 8494768763). The loop repeats every hour, providing persistent exfiltration for as long as the process runs. Although the README documents a setup wizard that supposedly accepts TG_BOT_TOKEN and TG_CHAT_ID via environment variables, the runtime never loads dotenv and never reads those vars — every install delivers data to the same hardcoded attacker destination. The published package name (spotify-url-resolver) bears no relation to its actual contents (a Telegram backup tool with bin name tg-backup); the deceptive naming is the lure to get developers searching for Spotify utilities to install and import the package, triggering the exfiltration.

Malicious versions

1 flagged

3.4.2

Indicators of compromise (SHA-256)

4a81616012a08ed2886b44f72afb8f8aa4620bb0682a26c8eb79356158650412

7d48e77a28430ecc01968323c62517a7928f9c0db72e086a64eb87e1b63f33b7

Frequently asked questions

No. spotify-url-resolver on npm has been identified as a malicious package (version 3.4.2 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-005463IN-MAL-2026-005462

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection