Which versions of veteran-proxy are malicious?

The following npm versions of veteran-proxy are flagged malicious: 1.0.0. Treat any of these as compromised.

How do I remediate veteran-proxy if I installed it?

Remove veteran-proxy from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound activity or persistence.

I already installed veteran-proxy — how do I know if it already compromised me?

If veteran-proxy was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is veteran-proxy part of a known attack campaign?

Yes — veteran-proxy is associated with the IN-MAL-2026-003876, IN-MAL-2026-003875 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find veteran-proxy across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for veteran-proxy (version 1.0.0). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging veteran-proxy across your stack and pipelines.

Malicious package

veteran-proxynpm

Malicious code in veteran-proxy (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-4704

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall veteran-proxy

What this malware does

On npm install, the postinstall hook (node install.js) downloads a platform-specific binary archive from a hardcoded https://your-website.com/downloads/veteran/... URL, extracts it, chmods it 0755, and immediately executes it (execSync("${BIN_PATH}" version)). The README advertises that binaries come from GitHub Releases at github.com/yongjie0203/veteran/releases, but the install script hardcodes your-website.com with a Chinese-language comment instructing the maintainer to replace it with their real download host — the package was published to npm with the placeholder in place. There is no hash or signature verification of the fetched bytes. Whoever registers or already controls your-website.com can ship arbitrary executables to every installer of this package, with full code execution on the installer's machine. Even absent registered malicious intent today, the install path is undefined: the destination domain is not under the publisher's control, the URL is unpinned, and the fetched binary's purpose (advertised as a SOCKS5 proxy) cannot be verified.

Malicious versions

1 flagged

1.0.0

Indicators of compromise (SHA-256)

b3eb733a784dc5c0ef6bcae90345204241a6b4e504f86e22fee7e66fae22376d

e2528c02db9bcb4016a3347fdfae55c037c0462d6c0d29adb4245605424ad31f

Detection & response playbook

Malicious package

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for veteran-proxy (version 1.0.0). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging veteran-proxy across your stack and pipelines.
If you installed it — respond
Remove veteran-proxy from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound activity or persistence.
Did it already run?
If veteran-proxy was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks veteran-proxy before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. veteran-proxy on npm has been identified as a malicious package (version 1.0.0 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-003876IN-MAL-2026-003875

References

npmjs.com

Credits

Amazon Inspector · finder

Detect & block this

O3 blocks veteran-proxy-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the malicious outbound activity and severs the channel.

Malware detection Runtime egress monitoring