Which versions of ts-build-optimize are malicious?

The following npm versions of ts-build-optimize are flagged malicious: 1.1.5, 1.1.6, 1.2.0, 1.2.1, 1.2.2. Treat any of these as compromised.

How do I remediate ts-build-optimize if I installed it?

Remove ts-build-optimize from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is ts-build-optimize part of a known attack campaign?

Yes — ts-build-optimize is associated with the IN-MAL-2026-002680, IN-MAL-2026-002681, IN-MAL-2026-005864, IN-MAL-2026-005862, IN-MAL-2026-005863 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect ts-build-optimize in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking ts-build-optimize and packages like it before any post-install script runs.

Malicious package

ts-build-optimizenpm

Malicious code in ts-build-optimize (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-3774

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall ts-build-optimize

What this malware does

The package masquerades as a TypeScript helper library (README is lifted from Microsoft's tslib and references --importHelpers, __extends, __assign, and a fake github.com/microsoft/ts-build-optimize/releases URL). The shipped index.js has nothing to do with TypeScript helpers: it exports a function buildoptimize whose default arguments are hardcoded to fetch https://verceljs-kappa.vercel.app/icons/23 and pass the response body directly to eval() (index.js:61-63 sets uuri = "https://verceljs-kappa.vercel.app/icons/"; index.js:79 executes eval(JSON.parse(b)); the function is exported at index.js:95). Any consumer who imports this package and calls buildoptimize() — which the name and README imply is a build-time optimizer — will execute arbitrary attacker-controlled JavaScript on the installer/build machine. The Vercel destination is mutable (the author can swap the payload at any time), no hash or signature is verified, and the hosting domain is unrelated to Microsoft or any legitimate tslib publisher. The C2 endpoint serves a benign 6,758-byte PNG decoy when requested without the package's hardcoded bearrtoken: logo HTTP header (so casual scanners and curl see only an image), but returns 53,347 bytes of JSON-wrapped, heavily-obfuscated JavaScript when the header is present. Static analysis of the fetched second stage (sha256 of the raw response body fd082d2406d65aa78d5f1028e11dc23e85d63f07c459fb048d08236a65590b99; sha256 of the JSON-decoded JavaScript source 47d235dad37c7fb86e231822a4c231344cbd006e58b8cb9a013b064c1a521eb8 — captured 2026-05-15, payload is mutable) shows wallet-theft and persistence functionality: references to the Exodus cryptocurrency wallet on macOS (/Library/Application Support/exodus.wallet) and Windows (/AppData/Roaming/Exodus/exodus.wallet); functions named installWindows, uninstallWindows, installMac, uninstallMac, isInstalledWindows, and a macPlistPath constant indicating per-OS persistence install/uninstall machinery; heavy use of child_process.execSync/exec to invoke shell commands; and a top-level setInterval(main, 30000) re-execution loop. The combination of name-squat on a widely-used Microsoft package, README impersonation, header-gated decoy, and a remote-eval primitive that delivers wallet-theft + persistence makes this an unambiguous supply-chain attack.

Malicious versions

5 flagged

1.1.51.1.61.2.01.2.11.2.2

Indicators of compromise (SHA-256)

51c637ab7c13ca2f592502f3444ebb24b291422b6388563d04fb8f7ae9030d5a

d1e5153e45627510761dea66e4b56e8e22e1eab29a671cab42703c9b5a5a5902

b3b9dbaee04ffb27cd7e4206d61221fe1602913d3bcfd7a2bd3353a889032a3f

633df172170dee84fee2b30b56712b60f43715ca863ae059067598d7283081fd

878d7af535588e3d2c21d68ff6686095ed99838e7cf7e2986ef97c73a2ea83dc

Frequently asked questions

No. ts-build-optimize on npm has been identified as a malicious package (versions 1.1.5, 1.1.6, 1.2.0, 1.2.1, 1.2.2 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-002680IN-MAL-2026-002681IN-MAL-2026-005864IN-MAL-2026-005862IN-MAL-2026-005863

References

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection