Which versions of swift-parse-stream are malicious?

The following npm versions of swift-parse-stream are flagged malicious: 1.0.2. Treat any of these as compromised.

How do I remediate swift-parse-stream if I installed it?

Remove swift-parse-stream from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is swift-parse-stream part of a known attack campaign?

Yes — swift-parse-stream is associated with the IN-MAL-2026-006905 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect swift-parse-stream in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking swift-parse-stream and packages like it before any post-install script runs.

Malicious package

swift-parse-streamnpm

Malicious code in swift-parse-stream (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-6068

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall swift-parse-stream

What this malware does

swift-parse-stream advertises itself as an SVG sanitizer/minifier but ships an undocumented getPlugin export in index.js that, when invoked, performs an HTTP GET against https://www.jsonkeeper.com/b/3P9BF (an anonymous user-paste host) and runs eval(parsed.model) on the returned JSON's model field. The destination is attacker-controlled and mutable: whoever controls the paste can change the executed JavaScript at any time without republishing the package. The README does not mention this code path. Any caller — typically a second compromised package chaining into this one — that reaches getPlugin() hands arbitrary remote code execution to the paste's owner, running in the consumer application's process with its full privileges and access to its environment, filesystem, and network.

Malicious versions

1 flagged

1.0.2

Indicators of compromise (SHA-256)

8ab8561c6c561b045d817d4fab3aa0754ce7cd767a3c5ec07b95151dda6b92c8

Frequently asked questions

No. swift-parse-stream on npm has been identified as a malicious package (version 1.0.2 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-006905

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection