Which versions of yian666aikf are malicious?

The following npm versions of yian666aikf are flagged malicious: 1.0.3. Treat any of these as compromised.

How do I remediate yian666aikf if I installed it?

Remove yian666aikf from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is yian666aikf part of a known attack campaign?

Yes — yian666aikf is associated with the IN-MAL-2026-007093 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect yian666aikf in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking yian666aikf and packages like it before any post-install script runs.

Malicious package

yian666aikfnpm

Malicious code in yian666aikf (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-6234

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall yian666aikf

What this malware does

[email protected] advertises itself as a lightweight string-manipulation utility library, but its only on-install effect is to launch a reverse shell. package.json registers a postinstall hook (scripts/postinstall.js) that spawns scripts/shell.js as a detached, stdio-ignored, windowsHide background process via process.execPath. shell.js opens a TCP socket to 114.67.90.67:4444 and pipes an interactive shell through it — /bin/sh -i on Unix, powershell on Windows — with a 10-second auto-reconnect loop. The shipped index.js exposes benign string helpers (capitalize/truncate/etc.) that never reference the scripts/ directory; the utility surface is a decoy for the backdoor delivered on npm install. Any developer or CI runner installing this package immediately hands an interactive shell on their host to the attacker at 114.67.90.67:4444, with persistence via the reconnect loop.

Malicious versions

1 flagged

1.0.3

Indicators of compromise (SHA-256)

f96776bdaabacae768376d5c1ff3543f77d94b41298d3d01365032817c3cd53e

Frequently asked questions

No. yian666aikf on npm has been identified as a malicious package (version 1.0.3 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-007093

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection