Which versions of @demica/resources are malicious?

The following npm versions of @demica/resources are flagged malicious: 99.99.100. Treat any of these as compromised.

How do I remediate @demica/resources if I installed it?

Remove @demica/resources from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is @demica/resources part of a known attack campaign?

Yes — @demica/resources is associated with the IN-MAL-2026-005011 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect @demica/resources in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking @demica/resources and packages like it before any post-install script runs.

Malicious package

@demica/resourcesnpm

Malicious code in @demica/resources (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5350

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall @demica/resources

What this malware does

Note: This report is updated by a verification record

Dep-confusion squat of internal @demica/resources at sentinel high version 99.99.100 + auto-exec postinstall (canary.js) beaconing to RAW IP 157.230.17.236:80/dc. Sentinel-high-version + auto-exec beacon = MALICIOUS per operator policy (c913); "authorized canary" framing does NOT downgrade, raw-IP dest matches masterkrweb. 6-pkg @demica canary campaign.

On npm install, the package's scripts.postinstall executes canary.js, which issues an unconditional plain-HTTP GET to the hardcoded bare IP 157.230.17.236 on port 80 at path /dc?.... The query string includes os.hostname() (truncated to 200 chars) plus the package name, version, a nonce, and a phase identifier. This fires automatically on every install with no opt-out. The package self-describes as a 'dependency-confusion canary,' but it is published on the public npm registry under the @demica/* scope: any installer that resolves @demica/resources — including via accidental dependency confusion, typo, or curiosity install — will leak their hostname to the operator of that bare IP over unencrypted HTTP. The destination is an anonymous bare IP with no associated domain, publisher, or disclosure; hostname is an installer-side host identifier transmitted off-host to an attacker-shaped endpoint.

Malicious versions

1 flagged

99.99.100

Indicators of compromise (SHA-256)

98805b03541bafd28883acb75e8fd9d0e4ea947d75062563c34438dec82139bf

Frequently asked questions

No. @demica/resources on npm has been identified as a malicious package (version 99.99.100 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-005011

References

Credits

Amazon Inspector · finder
SafeDep · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection