Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
Malicious package

xxdxanpm

Malicious code in xxdxa (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-10752
Immediate action
Remove the package, then rotate any secrets the build/runtime could reach.
npm uninstall xxdxa

What this malware does

The package's sole file i.js (declared as main) is a heavily obfuscated IIFE whose top-level exploit() runs unconditionally when the module is loaded. In a browser context on noviembrenacional.com it reads document.documentElement.outerHTML, base64-encodes it, and POSTs it (body 'type=page_html&data=...') to a hardcoded canarytokens.com endpoint (canarytokens.com/images/terms/e63c36xvesfv8udb0yiy1xztu/contact.php), along with status beacons (start, username, no_user_span, no_nonce, exploit_success, error). When the visitor is a logged-in WordPress user on that site whose username is neither 'JuanCuesta' nor 'noviembrenacional', it fetches /my-account/editar-cuenta/, extracts the save-account-details nonce and referer, and submits a same-origin CSRF POST that overwrites the victim's account email to [email protected], then triggers a password reset — an account takeover. For the 'noviembrenacional' admin user it instead POSTs to /members/<user>/settings/delete-account/. In Node (no window), the top-level call throws and the catch handler issues fetch(CANARY_URL + '?type=error&msg=...'), leaking a beacon (including the installer's public IP and an error string) to the attacker's canarytokens URL at require/import time. URLs, DOM property names, form field names, endpoints, and the attacker email are hidden via \uXXXX escapes, reversed-string decoding (e.g. '/srebmem/'.split('').reverse().join('') → '/members/'), and dead-code XOR expressions, existing solely to conceal the exfiltration destination and WordPress attack targets.

Malicious versions

6 flagged
1.0.11.0.21.0.31.0.41.0.51.0.7

Indicators of compromise (SHA-256)

0419014b846dad93131788936a2a40257cb27b7c19ab4f74b43d84445b608afa
0aa8c7ef8c36ef3d4eb1f3c423ca518894ee4abd9c621232cf8d451a9e5d81f9
26a77171f4b68ff814a7a99b5e51e3d59b9d4ca41fefbd650d2a0f8412878360
4f93df3b1a546f25702b9d6d35590f05a6f86171cd9852085c2708b5f765242f
d9f7b472ce0efe03e1eb07b8756f06682c3289fb2b33f544edcd12f71d7e3e56
f8c8cc7d71b667ac9ab8421c504e75d408ec3354aa77d47d1287cb8c190a85e1

Detection & response playbook

Credential / info stealer
  1. Find it

    Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for xxdxa (6 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging xxdxa across your stack and pipelines.

  2. If you installed it — respond

    xxdxa is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.

  3. Did it already run?

    If xxdxa was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

  4. How O3 protects you

    O3 blocks xxdxa before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. xxdxa on npm has been identified as a malicious package (versions 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.7 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-010754IN-MAL-2026-010755IN-MAL-2026-010717IN-MAL-2026-010716IN-MAL-2026-010714IN-MAL-2026-010760

References

Credits

  • Amazon Inspector · finder

Detect & block this

O3 blocks xxdxa-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.