Which versions of @webda-infra/search are malicious?

The following npm versions of @webda-infra/search are flagged malicious: 99.9.1. Treat any of these as compromised.

How do I remediate @webda-infra/search if I installed it?

Remove @webda-infra/search from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound activity or persistence.

I already installed @webda-infra/search — how do I know if it already compromised me?

If @webda-infra/search was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is @webda-infra/search part of a known attack campaign?

Yes — @webda-infra/search is associated with the IN-MAL-2026-005046, IN-MAL-2026-005045 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find @webda-infra/search across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for @webda-infra/search (version 99.9.1). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging @webda-infra/search across your stack and pipelines.

Malicious package

@webda-infra/searchnpm

Malicious code in @webda-infra/search (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5433

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall @webda-infra/search

What this malware does

@webda-infra/[email protected] is a near-empty placeholder (index.js is empty, module.exports = {}) whose package.json declares a single dependency, ltidisafe, resolved via a direct URL to a Google Cloud Storage bucket: https://ltidi.storage.googleapis.com/depenconf/ltidisafe-2.8.4.tgz. The path segment depenconf, the burner-style version 99.9.1 chosen to outrank any legitimate internal @webda-infra/* package, and the absence of an integrity hash or version pin combine into a dependency-confusion / namespace-squat shape: any npm install that resolves this public package will fetch and install whatever bytes are hosted at that GCS URL, including any preinstall/install/postinstall lifecycle scripts in the resulting tarball. The GCS bucket is unrelated to any verified webda / webda-infra publisher and the URL is mutable — the operator can swap the served bytes at any time. The entire reason to install this package is to pull and execute arbitrary off-registry code on the installer's machine.

Malicious versions

1 flagged

99.9.1

Indicators of compromise (SHA-256)

1440e1683583954f5e69d00ccb47aa66112bc979d244e7f9e148b16d84ae7ba0

1d3966598d25bae6a0824df09461ccbea8ad8ff22be2b3b93eab681cc733ff73

Detection & response playbook

Malicious package

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for @webda-infra/search (version 99.9.1). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging @webda-infra/search across your stack and pipelines.
If you installed it — respond
Remove @webda-infra/search from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound activity or persistence.
Did it already run?
If @webda-infra/search was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks @webda-infra/search before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. @webda-infra/search on npm has been identified as a malicious package (version 99.9.1 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-005046IN-MAL-2026-005045

References

npmjs.com

Credits

Amazon Inspector · finder

Detect & block this

O3 blocks @webda-infra/search-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the malicious outbound activity and severs the channel.

Malware detection Runtime egress monitoring