Which versions of stackus are malicious?

The following npm versions of stackus are flagged malicious: 1.0.6. Treat any of these as compromised.

How do I remediate stackus if I installed it?

Remove stackus from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is stackus part of a known attack campaign?

Yes — stackus is associated with the IN-MAL-2026-006976 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect stackus in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking stackus and packages like it before any post-install script runs.

Malicious package

stackusnpm

Malicious code in stackus (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-6098

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall stackus

What this malware does

On require(), lib/writer.js (loaded transitively from the package's main pino.js) collects the installer's full process.env together with host identifiers (os.hostname, os.userInfo().username, os.platform(), and external MAC addresses) into a data object, then performs an unconditional axios GET to https://www.jsonkeeper.com/b/MYUKZ and passes the response body through eval(). A second hex-obfuscated jsonkeeper.com URL (https://www.jsonkeeper.com/b/HY6M6) is also staged in the same file. jsonkeeper.com is an anonymous, user-editable JSON paste host, so the eval'd payload is mutable attacker-controlled content with closure access to the staged environment dump — a complete credential-exfiltration + remote-code-execution channel that fires on every consumer that imports the package. The package masquerades as the pino logger: it declares main=pino.js, homepage=https://getpino.io, replicates pino's writer/proto/levels/transport API surface, and ships pino-branded images, while the package name 'stackus' is unrelated to pino.

Malicious versions

1 flagged

1.0.6

Indicators of compromise (SHA-256)

0a8032b910c8971e79e7d8b0e250ce4d61fd2a2206d6b319a5aed50e32490456

Frequently asked questions

No. stackus on npm has been identified as a malicious package (version 1.0.6 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-006976

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection