Which versions of thevoid are malicious?

The following npm versions of thevoid are flagged malicious: 0.1.3, 0.1.4. Treat any of these as compromised.

How do I remediate thevoid if I installed it?

thevoid is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.

I already installed thevoid — how do I know if it already compromised me?

If thevoid was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is thevoid part of a known attack campaign?

Yes — thevoid is associated with the IN-MAL-2026-004259, IN-MAL-2026-004260, IN-MAL-2026-004228, IN-MAL-2026-004227 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find thevoid across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for thevoid (2 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging thevoid across your stack and pipelines.

Malicious package

thevoidnpm

Malicious code in thevoid (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-4692

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall thevoid

What this malware does

On install, postinstall.js performs an HTTPS request to void-relay.com carrying process.env contents along with host identifiers (process.platform, process.arch). The destination is not associated with any documented publisher SDK or runtime CDN, and the data exfiltrated (full environment variables plus host fingerprint) constitutes installer-side secret leakage. This matches the canonical hardcoded-C2 exfiltration shape: a lifecycle script (postinstall.js line 38) issues https.get to a hardcoded attacker-controlled host (void-relay.com, line 22) with environment data attached. Any developer or CI runner that installs this package will leak its environment (which routinely contains API tokens, cloud credentials, and CI secrets) to the attacker.

Malicious versions

2 flagged

0.1.30.1.4

Indicators of compromise (SHA-256)

0ce4d125de5d699da897d074134f8d1f0a971aa23d9c3d6ff3330015fccad091

27287e9af97748818989eb46a4435e8684d75760a428b8d9054f080bfd1fa660

47489953ce40d6c0f085ec6baf20a035de70f73694d6b8be5025d63c82205886

5c620020be938a746e20906905f09b52960636a2c53c649f64c9971257b655e9

Detection & response playbook

Credential / info stealer

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for thevoid (2 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging thevoid across your stack and pipelines.
If you installed it — respond
thevoid is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.
Did it already run?
If thevoid was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks thevoid before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. thevoid on npm has been identified as a malicious package (versions 0.1.3, 0.1.4 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-004259IN-MAL-2026-004260IN-MAL-2026-004228IN-MAL-2026-004227

References

Credits

Amazon Inspector · finder

Detect & block this

O3 blocks thevoid-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.

Malware detection Runtime egress monitoring