Which versions of @webd-infra/query-designer-domain are malicious?

The following npm versions of @webd-infra/query-designer-domain are flagged malicious: 99.9.1. Treat any of these as compromised.

How do I remediate @webd-infra/query-designer-domain if I installed it?

Remove @webd-infra/query-designer-domain from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound activity or persistence.

I already installed @webd-infra/query-designer-domain — how do I know if it already compromised me?

If @webd-infra/query-designer-domain was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is @webd-infra/query-designer-domain part of a known attack campaign?

Yes — @webd-infra/query-designer-domain is associated with the IN-MAL-2026-005048, IN-MAL-2026-005047 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find @webd-infra/query-designer-domain across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for @webd-infra/query-designer-domain (version 99.9.1). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging @webd-infra/query-designer-domain across your stack and pipelines.

Malicious package

@webd-infra/query-designer-domainnpm

Malicious code in @webd-infra/query-designer-domain (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5431

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall @webd-infra/query-designer-domain

What this malware does

The package's package.json declares its only dependency ltidisafe as a direct tarball URL: https://ltidi.storage.googleapis.com/depenconf/ltidisafe-2.8.3.tgz. On npm install, npm fetches this tarball from a Google Cloud Storage bucket (not the npm registry) and runs whatever lifecycle scripts it contains. The bucket owner — not an npm publisher with registry-side accountability — controls exactly which bytes get executed, and the tarball contents at that URL can change at any time. Supporting indicators: the package has empty author and description fields, the version 99.9.1 is the canonical dependency-confusion sentinel used in research/PoC packages, and the bucket path segment is the literal string depenconf. The package itself ships no other runtime code — its sole effect on installers is resolving and executing this off-registry tarball.

Malicious versions

1 flagged

99.9.1

Indicators of compromise (SHA-256)

09de5dd8298cd731b0a421ff015b7830918c5d8d5ac3fe29378ecf042596832a

1c7713f23c6a0044172532693bc43aee0d785a980fc5c83ba1f773af9082e3b3

Detection & response playbook

Malicious package

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for @webd-infra/query-designer-domain (version 99.9.1). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging @webd-infra/query-designer-domain across your stack and pipelines.
If you installed it — respond
Remove @webd-infra/query-designer-domain from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound activity or persistence.
Did it already run?
If @webd-infra/query-designer-domain was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks @webd-infra/query-designer-domain before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. @webd-infra/query-designer-domain on npm has been identified as a malicious package (version 99.9.1 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-005048IN-MAL-2026-005047

References

npmjs.com

Credits

Amazon Inspector · finder

Detect & block this

O3 blocks @webd-infra/query-designer-domain-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the malicious outbound activity and severs the channel.

Malware detection Runtime egress monitoring