Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
Malicious package

zyncmapnpm

Malicious code in zyncmap (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-6708
Immediate action
Remove the package, then rotate any secrets the build/runtime could reach.
npm uninstall zyncmap

What this malware does

[email protected] advertises itself as an SVG sanitization/minification utility, but index.js exports an undocumented function getPlugin() that, when invoked, performs an HTTP GET against the anonymous paste host https://www.jsonkeeper.com/b/3P9BF and passes the response's model string field directly to eval(). Content at that paste URL is attacker-mutable, so any consumer that calls the exported getPlugin() executes arbitrary attacker-controlled JavaScript in the installer's Node.js process. The README and ~80% of index.js implement plausible SVG helpers as cover; the remote-fetch+eval export and a misleading bearrtoken: "logo" header are appended separately and not mentioned in package documentation. This is a backdoor: a hidden code path giving the publisher persistent remote code execution against any consumer who reaches the export.

Malicious versions

2 flagged
0.0.00.0.1

Indicators of compromise (SHA-256)

251e5b6920fb8a9fdb59aba6c1b162ddd27f0b226c979e62fb43845fc0f5d9ae
3a65a1106fa2bab6eb0b5982b289665b4b96a6ad86769a867f6e62fb73663f77

Detection & response playbook

Credential / info stealer
  1. Find it

    Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for zyncmap (2 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging zyncmap across your stack and pipelines.

  2. If you installed it — respond

    zyncmap is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.

  3. Did it already run?

    If zyncmap was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

  4. How O3 protects you

    O3 blocks zyncmap before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. zyncmap on npm has been identified as a malicious package (versions 0.0.0, 0.0.1 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-007854IN-MAL-2026-007855

References

Credits

  • Amazon Inspector · finder

Detect & block this

O3 blocks zyncmap-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.

zyncmap (npm) malicious package — MAL-2026-6708 | O3 Security