Which versions of @civitatis/bot-ui are malicious?

The following npm versions of @civitatis/bot-ui are flagged malicious: 14.12.11, 15.12.11. Treat any of these as compromised.

How do I remediate @civitatis/bot-ui if I installed it?

Remove @civitatis/bot-ui from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is @civitatis/bot-ui part of a known attack campaign?

Yes — @civitatis/bot-ui is associated with the IN-MAL-2026-006926, IN-MAL-2026-006930 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect @civitatis/bot-ui in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking @civitatis/bot-ui and packages like it before any post-install script runs.

Malicious package

@civitatis/bot-uinpm

Malicious code in @civitatis/bot-ui (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-6069

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall @civitatis/bot-ui

What this malware does

The package declares "preinstall": "node index.js" in package.json, causing index.js to execute automatically on npm install. index.js requires child_process, os, https, and http, then collects host and user identity — whoami, id, os.hostname(), process.platform, architecture, homedir, os.userInfo() (username/uid/gid/shell), OS details, and cwd — and POSTs them as JSON to the hardcoded URL https://277k5lhnsb38srix1rr2le9g177yvpje.oastify.com/detox56 (oastify.com is the Burp Collaborator out-of-band interaction service, commonly abused as recon/C2 infrastructure). The package ships no legitimate functionality — empty description, empty author, no UI code despite the bot-ui name — and the @civitatis scope plus generic name shape are consistent with a dependency-confusion attack against an internal namespace. Installing this package on any developer machine or CI runner immediately leaks host identity to the attacker.

Malicious versions

2 flagged

14.12.1115.12.11

Indicators of compromise (SHA-256)

e51e58cf925eb7dd4e084a2e78e22b0a0db0f1f82663101e34110258839f98f7

6c7b137f3a76494fda4324f6d092333d5017df9b8b0edeed588b1e1ed6f45675

Frequently asked questions

No. @civitatis/bot-ui on npm has been identified as a malicious package (versions 14.12.11, 15.12.11 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-006926IN-MAL-2026-006930

References

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection