Which versions of tango-app-api-trax are malicious?

The following npm versions of tango-app-api-trax are flagged malicious: 3.9.10, 3.9.21, 3.9.32, 3.9.39, 3.9.43. Treat any of these as compromised.

How do I remediate tango-app-api-trax if I installed it?

Remove tango-app-api-trax from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Can O3 Security detect tango-app-api-trax in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking tango-app-api-trax and packages like it before any post-install script runs.

Malicious package

tango-app-api-traxnpm

Malicious code in tango-app-api-trax (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-4682

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall tango-app-api-trax

What this malware does

The tarball contains live, importable credentials for systems other than the installer's own. src/controllers/internalTrax.controller.js hardcodes Lenskart POS authentication (username tango.eye, password 55eyetango123, header X-Lenskart-API-Key: valyoo123) inside the exported controllers aomupdateCollection and saleUpdateCollection, which post to webservice.pos.lenskart.com and central.pos.lenskart.com. Any consumer of this npm package can use these credentials to authenticate to Lenskart's production POS API as the tango.eye partner and read or mutate employee/store data. Additionally, fir-51e77-firebase-adminsdk-x3sdp-fd902b74ae.json ships a complete Google Cloud service account (project_id: tango-trax, client_email: [email protected]) including the BEGIN PRIVATE KEY block, granting Firebase Admin privileges over the tango-trax GCP project to anyone who pulls the package. There are no install-time lifecycle hooks; the harm is the redistribution of usable third-party credentials, not auto-execution. The ping matches in the static analysis are unrelated string occurrences in the controller and not exfiltration behavior.

Malicious versions

5 flagged

3.9.103.9.213.9.323.9.393.9.43

Indicators of compromise (SHA-256)

591ab6cb5c137b1fefb34181907f9b9eb7d798262aadf1d09ac5e936d469d110

5c14d60a97b056e00cb3055bd07605c2f16482794e5860fee68cab46f308893d

4c8a53d02c48fb2675fdafcb4bedc1a372ffec81f4b51e5a947587ff9bd7c8d0

56ff749fcfeb03bfd58b84b3f6a525d1cfc13c3c0c9bc6f433be5a87c47ee82a

6f73fa77749a62c88ad6af00fead67036139af36f0396fc49e33e0e46b3465db

73b67187cfd04d79bb02a0caa5abbb5933425803dd317eb58d30fa9f9d817667

883f56cb8e1659025ca618281b73f32936557ff10e794e837bac3604ff4eae08

e434eeea1e86591e8b74ef3db615d94fa39cc931756cc1d6f3ad0e614c465364

e7d8f3ef8e6fa016bfc17617ebcedce012c6cce870d89564965a476c3ec8da1c

0817dca8f1b99d1569ea4cd127a509e41e922c518356eeaae071a70585840f12

Frequently asked questions

No. tango-app-api-trax on npm has been identified as a malicious package (versions 3.9.10, 3.9.21, 3.9.32, 3.9.39, 3.9.43 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-003521IN-MAL-2026-003520IN-MAL-2026-005913IN-MAL-2026-005912IN-MAL-2026-005908IN-MAL-2026-005910IN-MAL-2026-005909IN-MAL-2026-005914IN-MAL-2026-005911IN-MAL-2026-005907

References

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection