MAL-2026-6581: Malicious code in ollama-helpers (npm)
The npm package 'ollama-helpers' versions 1.2.1 and 1.2.2 contains malicious code that executes automatically upon installation. This code collects extensive sensitive information from the user's environment, including OS hostname, usernames, Git configuration and commit history, SSH public key comments, cloud service account identifiers, and CI environment details. The collected data is sent to an anonymous Google Cloud Run endpoint unrelated to the legitimate Ollama project. The package impersonates the official Ollama ecosystem with fabricated metadata but does not include the declared main executable, indicating its sole purpose is data exfiltration without user consent or opt-out.
AI Analysis
Technical Summary
The 'ollama-helpers' npm package versions 1.2.1 and 1.2.2 contain a postinstall script that automatically runs during 'npm install'. This script harvests a broad range of identity and configuration data from the installer environment, such as OS hostname, usernames, Git user emails and commit history, SSH public key comments, GitHub and cloud service credentials (GCP, AWS), DNS domains, current working directory, CI provider, and parent project metadata. The collected information is serialized into JSON and transmitted via HTTPS POST to a hardcoded endpoint hosted on Google Cloud Run, which is unrelated to the official Ollama project. The package uses fabricated author and homepage metadata to impersonate the legitimate Ollama ecosystem. The absence of the declared main file and the presence of only the exfiltration script confirm the package is a malicious data exfiltration tool disguised as a helper library. No user consent or opt-out mechanism is provided, and the scope of data collection far exceeds typical telemetry.
Potential Impact
Sensitive user and environment information is exfiltrated without consent, including potentially identifying details such as usernames, SSH key comments, cloud service account identifiers, and Git commit history. This exposure can lead to privacy violations, targeted attacks, credential compromise, and unauthorized access to cloud resources or source code repositories. The malicious package masquerades as a legitimate helper library, increasing the risk of inadvertent installation and data leakage.
Mitigation Recommendations
No official patch or remediation is currently documented. Users should immediately uninstall versions 1.2.1 and 1.2.2 of 'ollama-helpers' and avoid installing this package. Verify the authenticity of npm packages before installation, especially those impersonating known projects. Monitor for any unexpected network traffic to unknown endpoints following installation attempts. Check vendor advisories or npm security advisories for updates or official guidance. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.
MAL-2026-6581: Malicious code in ollama-helpers (npm)
Description
The npm package 'ollama-helpers' versions 1.2.1 and 1.2.2 contains malicious code that executes automatically upon installation. This code collects extensive sensitive information from the user's environment, including OS hostname, usernames, Git configuration and commit history, SSH public key comments, cloud service account identifiers, and CI environment details. The collected data is sent to an anonymous Google Cloud Run endpoint unrelated to the legitimate Ollama project. The package impersonates the official Ollama ecosystem with fabricated metadata but does not include the declared main executable, indicating its sole purpose is data exfiltration without user consent or opt-out.
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The 'ollama-helpers' npm package versions 1.2.1 and 1.2.2 contain a postinstall script that automatically runs during 'npm install'. This script harvests a broad range of identity and configuration data from the installer environment, such as OS hostname, usernames, Git user emails and commit history, SSH public key comments, GitHub and cloud service credentials (GCP, AWS), DNS domains, current working directory, CI provider, and parent project metadata. The collected information is serialized into JSON and transmitted via HTTPS POST to a hardcoded endpoint hosted on Google Cloud Run, which is unrelated to the official Ollama project. The package uses fabricated author and homepage metadata to impersonate the legitimate Ollama ecosystem. The absence of the declared main file and the presence of only the exfiltration script confirm the package is a malicious data exfiltration tool disguised as a helper library. No user consent or opt-out mechanism is provided, and the scope of data collection far exceeds typical telemetry.
Potential Impact
Sensitive user and environment information is exfiltrated without consent, including potentially identifying details such as usernames, SSH key comments, cloud service account identifiers, and Git commit history. This exposure can lead to privacy violations, targeted attacks, credential compromise, and unauthorized access to cloud resources or source code repositories. The malicious package masquerades as a legitimate helper library, increasing the risk of inadvertent installation and data leakage.
Mitigation Recommendations
No official patch or remediation is currently documented. Users should immediately uninstall versions 1.2.1 and 1.2.2 of 'ollama-helpers' and avoid installing this package. Verify the authenticity of npm packages before installation, especially those impersonating known projects. Monitor for any unexpected network traffic to unknown endpoints following installation attempts. Check vendor advisories or npm security advisories for updates or official guidance. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- MAL-2026-6581
- Osv Schema Version
- 1.7.4
- Aliases
- []
- Ecosystems
- ["npm"]
- Database Specific Severity
- null
- Cvss Version
- null
Threat ID: 6a42ed6927e9c79719938296
Added to database: 06/29/2026, 22:10:49 UTC
Last enriched: 06/29/2026, 22:35:59 UTC
Last updated: 06/30/2026, 00:45:05 UTC
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.