Which versions of sys-info-cli-app are malicious?

The following npm versions of sys-info-cli-app are flagged malicious: 1.0.1, 1.0.2, 1.0.9. Treat any of these as compromised.

How do I remediate sys-info-cli-app if I installed it?

Remove sys-info-cli-app from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is sys-info-cli-app part of a known attack campaign?

Yes — sys-info-cli-app is associated with the IN-MAL-2026-006454, IN-MAL-2026-006455, IN-MAL-2026-006456, IN-MAL-2026-006452, IN-MAL-2026-006453, IN-MAL-2026-006457 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect sys-info-cli-app in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking sys-info-cli-app and packages like it before any post-install script runs.

Malicious package

sys-info-cli-appnpm

Malicious code in sys-info-cli-app (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5764

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall sys-info-cli-app

What this malware does

The package's collect.js gathers host identifiers (os.hostname(), os.homedir()) along with filesystem and child_process introspection and POSTs them to a hardcoded external endpoint at http://aab.sportsontheweb.net. The destination is unrelated to any legitimate npm distribution infrastructure and the data flow has no documented purpose tied to the package's stated function. The combination of os/child_process/fs reads with an outbound POST to an attacker-controlled domain is the canonical host-reconnaissance / exfiltration shape. Installing or loading this package causes installer host metadata to be sent off-host to a third-party server.

Malicious versions

3 flagged

1.0.11.0.21.0.9

Indicators of compromise (SHA-256)

1423c435a0e9e86338dd64d138fb1697580751ade2b7486880e21785e1b3eb47

27dfc1e117001fe5c9c5ba1d091d3dfb7221dcba8548a0d9de5782f1ba878177

59aa09b82f37f5407f4b9f36e747cf77223ec561e131c5e6a910037d824c32ae

64659c05718995ad539dc101e0c177c8f663dce920935b1e8cf39ea11914e840

a4e883a7d23f25424d56280dc14ad8a08a163ef7c9c01b12689ae8049899a617

b3eec1fa6a56319409ac7aaf6de49d64ff54b6d70c50dfe1a8083da345e3a32d

Frequently asked questions

No. sys-info-cli-app on npm has been identified as a malicious package (versions 1.0.1, 1.0.2, 1.0.9 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-006454IN-MAL-2026-006455IN-MAL-2026-006456IN-MAL-2026-006452IN-MAL-2026-006453IN-MAL-2026-006457

References

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection