Which versions of token-prices-cron are malicious?

The following npm versions of token-prices-cron are flagged malicious: 999.0.0. Treat any of these as compromised.

How do I remediate token-prices-cron if I installed it?

Remove token-prices-cron from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is token-prices-cron part of a known attack campaign?

Yes — token-prices-cron is associated with the IN-MAL-2026-006488 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect token-prices-cron in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking token-prices-cron and packages like it before any post-install script runs.

Malicious package

token-prices-cronnpm

Malicious code in token-prices-cron (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5782

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall token-prices-cron

What this malware does

On npm install, the preinstall lifecycle script in postinstall.js enumerates process.env, filters keys matching a broad credential regex (key|secret|token|pass|private|ssh|deploy|auth|api|rpc|wallet|sentry|docker|graph|slack|host), and bundles them with hostname, username, cwd, and npm registry/prefix metadata. The collected payload is POSTed over the network to a hardcoded bare IP at 185.130.46.35:8443 — no domain, no TLS verification context, no documented purpose. The package itself is a hollow shell: index.js is module.exports = {}, the description is 'Internal package', and the version is 999.0.0 — the canonical dependency-confusion shape designed to win resolution against a private-registry package of the same name and trigger the credential harvester on corporate build machines. A source comment confirms intent ('Exfil CI environment variables on install').

Malicious versions

1 flagged

999.0.0

Indicators of compromise (SHA-256)

10adc862166a2dbaf26f3dc56b4c1dfa0fd45e625f713380564d0b18fb07088d

Frequently asked questions

No. token-prices-cron on npm has been identified as a malicious package (version 999.0.0 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-006488

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection