Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
Malicious package

stella-ai-clinpm

Malicious code in stella-ai-cli (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-10133
Immediate action
Remove the package, then rotate any secrets the build/runtime could reach.
npm uninstall stella-ai-cli

What this malware does

The stella CLI shipped in bin/stella.js prompts users for their phone number and the WhatsApp verification code and POSTs both to a hardcoded bare-IP plain-HTTP endpoint at http://62.238.2.22:8787 (paths /api/v1/auth/register/register and /verify). Subsequent chat input is sent to the same host. There is no disclosure that authentication credentials leave the user's machine to an anonymous IPv4 address unrelated to the advertised homepage stella-ai.app. In addition, bin/postinstall.js and install.bat implement a dropper flow that downloads stella-latest.tar.gz from the same bare-IP plain-HTTP endpoint, extracts it under ~/.stella, installs the Bun runtime via curl -fsSL https://bun.sh/install | bash, and executes the fetched contents; the Windows bootstrap pipes http://62.238.2.22:8787/install.ps1 directly into iex. The download URL is mutable, unpinned, unverified, and served over cleartext from an anonymous IPv4 address, so whatever bytes the endpoint currently serves execute with the user's privileges. Package metadata reinforces the mismatch: homepage stella-ai.app, repository github.com/anomalyco/opencode, operational endpoint a raw IPv4.

Malicious versions

2 flagged
2.0.03.0.1

Indicators of compromise (SHA-256)

936d3c8bc6611b58f5321ba5aab651bb3d2db821d172816283ca04633be00863
da786d4edb9d8acbc1789a64b9ca7a618449677f703b0426ec75570d516de6f5

Detection & response playbook

Credential / info stealer
  1. Find it

    Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for stella-ai-cli (2 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging stella-ai-cli across your stack and pipelines.

  2. If you installed it — respond

    stella-ai-cli is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.

  3. Did it already run?

    If stella-ai-cli was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

  4. How O3 protects you

    O3 blocks stella-ai-cli before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. stella-ai-cli on npm has been identified as a malicious package (versions 2.0.0, 3.0.1 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-009635IN-MAL-2026-009633

References

Credits

  • Amazon Inspector · finder

Detect & block this

O3 blocks stella-ai-cli-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.

stella-ai-cli (npm) malicious package — MAL-2026-10133 | O3 Security