Which versions of vortnode are malicious?

The following npm versions of vortnode are flagged malicious: 1.2.0. Treat any of these as compromised.

How do I remediate vortnode if I installed it?

Remove vortnode from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is vortnode part of a known attack campaign?

Yes — vortnode is associated with the IN-MAL-2026-006750 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect vortnode in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking vortnode and packages like it before any post-install script runs.

Malicious package

vortnodenpm

Malicious code in vortnode (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5884

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall vortnode

What this malware does

On npm install, the preinstall hook (node lib/setup.js) runs on Windows and invokes lib/worker.js, which downloads an executable to %LOCALAPPDATA%\Temp (or %TEMP%) under Microsoft-update cover names (msedge_update, chrome_installer, dotnet_host, onedrive_setup, teams_update) and silently executes it via spawn(fp, [], { detached: true, stdio: 'ignore', windowsHide: true }) followed by ch.unref(). The download URL is XOR-decoded at runtime from opaque buffers carried in the foldmap dependency, with a fallback chain of https → curl.exe → bitsadmin to maximize delivery; TLS verification is disabled (rejectUnauthorized: false); the Mark-of-the-Web :Zone.Identifier ADS is stripped before execution. All sensitive identifiers in lib/worker.js (https, child_process, spawn, curl.exe, bitsadmin, powershell.exe, :Zone.Identifier, env vars, cover filenames) are constructed with String.fromCharCode(...) to evade signature scanning. The package's advertised index.js API (spawn/kill/list/has) is a decoy never referenced by the install path. Any developer or CI runner installing vortnode on Windows executes attacker-controlled code as the current user.

Malicious versions

1 flagged

1.2.0

Indicators of compromise (SHA-256)

43b7aa0683f0462d98c9ab789942e329e1298af3f85c0bd3a9b3761f5aebf8fb

Frequently asked questions

No. vortnode on npm has been identified as a malicious package (version 1.2.0 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-006750

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection