Which versions of @giftyhq/widget-components are malicious?

The following npm versions of @giftyhq/widget-components are flagged malicious: 19.12.11. Treat any of these as compromised.

How do I remediate @giftyhq/widget-components if I installed it?

@giftyhq/widget-components is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.

I already installed @giftyhq/widget-components — how do I know if it already compromised me?

If @giftyhq/widget-components was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is @giftyhq/widget-components part of a known attack campaign?

Yes — @giftyhq/widget-components is associated with the IN-MAL-2026-006397, IN-MAL-2026-006398 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find @giftyhq/widget-components across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for @giftyhq/widget-components (version 19.12.11). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging @giftyhq/widget-components across your stack and pipelines.

Malicious package

@giftyhq/widget-componentsnpm

Malicious code in @giftyhq/widget-components (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5747

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall @giftyhq/widget-components

What this malware does

package.json declares "preinstall": "node index.js", which fires automatically on npm install. index.js collects host fingerprinting data — os.hostname(), os.userInfo(), process.platform, uid/gid, shell, cwd, and the output of child_process.exec('whoami') and exec('id') — and POSTs the result as JSON to the hardcoded URL https://zad79wtflht20n15czfieir3quwlkb80.oastify.com/detox56. The destination is a Burp Collaborator (oastify.com) out-of-band subdomain used as attacker-controlled exfiltration infrastructure. The package ships no legitimate component code; metadata is empty (no author, no description) and the package's only effect is the install-time recon beacon. Name and scope are consistent with a dependency-confusion / namespace-squat lure.

Malicious versions

1 flagged

19.12.11

Indicators of compromise (SHA-256)

8ad3f12a6a12fbfa60e4a72747df6974f89906200568926b99a8c93c489b5e62

cbc5281f5eee9d9c1c78060b669e0228c72578f384f969d7773dc144a1e10157

Detection & response playbook

Credential / info stealer

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for @giftyhq/widget-components (version 19.12.11). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging @giftyhq/widget-components across your stack and pipelines.
If you installed it — respond
@giftyhq/widget-components is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.
Did it already run?
If @giftyhq/widget-components was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks @giftyhq/widget-components before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. @giftyhq/widget-components on npm has been identified as a malicious package (version 19.12.11 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-006397IN-MAL-2026-006398

References

npmjs.com

Credits

Amazon Inspector · finder

Detect & block this

O3 blocks @giftyhq/widget-components-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.

Malware detection Runtime egress monitoring