Which versions of veteran are malicious?

The following npm versions of veteran are flagged malicious: 1.0.3, 1.0.5, 1.0.11. Treat any of these as compromised.

How do I remediate veteran if I installed it?

Remove veteran from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is veteran part of a known attack campaign?

Yes — veteran is associated with the IN-MAL-2026-004199, IN-MAL-2026-003903, IN-MAL-2026-003902, IN-MAL-2026-004200, IN-MAL-2026-005822, IN-MAL-2026-005821 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect veteran in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking veteran and packages like it before any post-install script runs.

Malicious package

veterannpm

Malicious code in veteran (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-4703

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall veteran

What this malware does

On npm install, the package's postinstall hook (install.js, registered via package.json line 10 "postinstall": "node install.js") downloads a platform-specific executable from https://laogou.us/download/veteran/v1.0.0/veteran_1.0.0_<platform>_<arch>.{tar.gz,zip} (install.js:13 const DOWNLOAD_BASE_URL = 'https://laogou.us/download/veteran'), extracts it via shell tar/unzip, chmod 0o755s it (install.js:165), and immediately executes it (install.js:170 execSync("${BIN_PATH}" version",...)). The download host laogou.us does not match the package's declared publisher/homepage (github.com/yongjie0203/veteran); the URL is not version-pinned to a hash or signature; no checksum or signature verification is performed on the fetched bytes; and source comments suggest the URL is meant to be swapped by future maintainers. The operator of laogou.us can therefore serve arbitrary native code to every installer, with the bytes executed under the installer's user on npm install. This matches the publisher-mismatched, unverified, mutable-host dropper pattern.

Malicious versions

3 flagged

1.0.31.0.51.0.11

Indicators of compromise (SHA-256)

2090d10d814f7a007b22aef6b4a02f936d6aa7c4d6aa3e33119cb4790b7a1cc7

32d36199543a5734d26e7afa06931d745a1bc1e45b6e381cf0b6de00569bec33

70a20dd9f8d6a9df01d766c25693711d90e4303e3c68fa371f0b842f83c485b4

8a0b963f374ca64c5f3c294b3479ec208aa4c4fd28e2fcc536f0a40f46589fe4

8bfccafcb2db4d6b3085202a767e060929a7c580172cbfbd2c24511b4207099b

e3c7d817d0894b68fd858f9e73ea8f751a06414bb4ad6b3c98a15c4b7b096a5d

Frequently asked questions

No. veteran on npm has been identified as a malicious package (versions 1.0.3, 1.0.5, 1.0.11 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-004199IN-MAL-2026-003903IN-MAL-2026-003902IN-MAL-2026-004200IN-MAL-2026-005822IN-MAL-2026-005821

References

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection