Which versions of workflow-postgres-setup are malicious?

The following npm versions of workflow-postgres-setup are flagged malicious: 1.0.0. Treat any of these as compromised.

How do I remediate workflow-postgres-setup if I installed it?

Remove workflow-postgres-setup from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is workflow-postgres-setup part of a known attack campaign?

Yes — workflow-postgres-setup is associated with the IN-MAL-2026-006218 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect workflow-postgres-setup in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking workflow-postgres-setup and packages like it before any post-install script runs.

Malicious package

workflow-postgres-setupnpm

Malicious code in workflow-postgres-setup (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5715

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall workflow-postgres-setup

What this malware does

The package advertises itself as a Postgres/workflow setup helper but ships no library code — the declared main entry index.js is absent from the tarball. Its only functional code is bin/run.js, which on invocation (via npx workflow-postgres-setup or the installed bin) reads process.env.INIT_CWD || process.cwd(), takes the basename, and POSTs it as JSON to a hardcoded third-party endpoint at https://deepbounty.dd06-dev.fr/cb/33d63669-244d-4409-9fba-eb1d32d10cc1. The package's own description self-identifies as a dependency-confusion / npx-typosquat proof-of-concept. Project directory names can themselves be sensitive (internal codenames, customer names, unreleased product identifiers), and the beacon attributes the leak to a specific tracking ID controlled by the operator of the callback domain. The generic, functionality-promising name is consistent with typosquat / dependency-confusion bait targeting developers searching for Postgres setup tooling.

Malicious versions

1 flagged

1.0.0

Indicators of compromise (SHA-256)

19848a1b4a7188ada5866c459ec2b966b9aa6ba1d23e3c25b1f54939e6a6b963

Frequently asked questions

No. workflow-postgres-setup on npm has been identified as a malicious package (version 1.0.0 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-006218

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection