Which versions of twokey are malicious?

The following npm versions of twokey are flagged malicious: 1.0.5, 1.0.7, 1.0.8, 1.0.10, 1.0.11. Treat any of these as compromised.

How do I remediate twokey if I installed it?

Remove twokey from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound activity or persistence.

I already installed twokey — how do I know if it already compromised me?

If twokey was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

How do I find twokey across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for twokey (5 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging twokey across your stack and pipelines.

Malicious package

twokeynpm

Malicious code in twokey (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-4697

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall twokey

What this malware does

The package's postinstall hook unconditionally executes node bin/twokey.js --desktop --enable-autostart, which performs three install-time actions without prompting the installer: (1) fetches https://api.github.com/repos/meinzeug/twokey/releases/latest, downloads the resulting AppImage to ~/.local/share/twokey/bin/twokey-ai.AppImage, chmods it 0755, and spawns it detached with stdio ignored — the URL is the mutable 'latest' endpoint, not pinned to the npm package version, and no hash or signature verification is performed; (2) writes ~/.config/systemd/user/twokey.service and runs systemctl --user daemon-reload && systemctl --user enable twokey.service so the auto-downloaded AppImage runs on every boot; (3) when invoked via sudo, re-spawns itself as the original user via sudo -u $SUDO_USER -H node bin/twokey.js --desktop --enable-autostart with XDG_RUNTIME_DIR and DBUS_SESSION_BUS_ADDRESS injected, extending the install footprint into the desktop user's session. The destination repo matches the publisher and the binary is consistent with the package's stated Tauri-desktop purpose, but the combination of mutable-URL fetch + no integrity check + silent execution + persistence install means the installer receives, executes, and persistently autostarts whatever bytes the releases/latest pointer resolves to at install time — fully decoupled from the npm version they thought they vetted.

Malicious versions

5 flagged

1.0.51.0.71.0.81.0.101.0.11

Indicators of compromise (SHA-256)

20c6d8e22fd03dd5ff39bac81bcbffd05db3b2a08dcf9768332094ffcca4eebd

3e99c99c6d68f67dc08105da452c97c94c708001192919dea62ce0e4a3a26559

5314d8f5cb1c73de1c6efffd1b055957a8f2dc78b1ea828a1c841eedd78a2a82

891e263399578e7ba6449fbd625f70eb93a3a6a4aa4d5cf05ad8db29bfa2292a

8eeb0ae7f4d322804acf874ab171cb8eb3c46327808556a80efcacafd61e343e

b517a8d7e82e030754a6f3e8796c273f94948d0f787427f41c10f06ac5f61d0c

40cc2b8b94b9497167993e2354800704b2d225bee157273eff906252edb889d4

884f25147369c250f3aae797c9d71a5a61d877dff3a23ad1fbf21ae8de0054c5

9d008afe51df3700da0e0a4c85d7c8e43aa4404076d4f4ef05c1956c220938aa

b186d392146b1d8ce3460080cc7889794fc0b9535f7af8c601b69d2a6c5009db

Detection & response playbook

Malicious package

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for twokey (5 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging twokey across your stack and pipelines.
If you installed it — respond
Remove twokey from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound activity or persistence.
Did it already run?
If twokey was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks twokey before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. twokey on npm has been identified as a malicious package (versions 1.0.5, 1.0.7, 1.0.8, 1.0.10, 1.0.11 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-004481IN-MAL-2026-004478IN-MAL-2026-004472IN-MAL-2026-004482IN-MAL-2026-004479IN-MAL-2026-004480IN-MAL-2026-004476IN-MAL-2026-004475IN-MAL-2026-004477IN-MAL-2026-004473

References

Credits

Amazon Inspector · finder

Detect & block this

O3 blocks twokey-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the malicious outbound activity and severs the channel.

Malware detection Runtime egress monitoring