Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
Malicious package

utils-style-enginenpm

Malicious code in utils-style-engine (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-10609
Immediate action
Remove the package, then rotate any secrets the build/runtime could reach.
npm uninstall utils-style-engine

What this malware does

The package declares a preinstall hook that runs index.js on npm install. index.js collects host identifiers (os.hostname(), os.userInfo(), uid/gid, shell, homedir, process.platform, cwd, and the output of whoami/id via child_process) and POSTs the collected data as JSON to a hardcoded external endpoint at https://mj9yg25wm8m4vnkrrok8lwcogfm6awyl.oastify.com/detox56 (a Burp Suite Collaborator subdomain). The package ships no other functionality: package.json has an empty description, empty author, no repository, and the generic name utils-style-engine; the only shipped file besides the manifest is the beacon script. The shape is consistent with a dependency-confusion / reconnaissance probe.

Malicious versions

1 flagged
10.2.4

Indicators of compromise (SHA-256)

3049309c5f74bd1b453bcd51803cb7b8ddbbab2d3038f10d13e11a592dff6f52

Detection & response playbook

Backdoor / remote access
  1. Find it

    Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for utils-style-engine (version 10.2.4). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging utils-style-engine across your stack and pipelines.

  2. If you installed it — respond

    utils-style-engine establishes remote access, so treat any host that installed it as fully compromised. Isolate the machine, remove the package, rotate all credentials it could reach, and rebuild from a trusted image rather than cleaning in place — a backdoor may have planted additional persistence.

  3. Did it already run?

    If utils-style-engine was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

  4. How O3 protects you

    O3 blocks utils-style-engine before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. utils-style-engine on npm has been identified as a malicious package (version 10.2.4 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-010544

References

Credits

  • Amazon Inspector · finder

Detect & block this

O3 blocks utils-style-engine-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the C2 callback and severs the channel.