Which versions of @demica/shared are malicious?

The following npm versions of @demica/shared are flagged malicious: 99.99.100. Treat any of these as compromised.

How do I remediate @demica/shared if I installed it?

Remove @demica/shared from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is @demica/shared part of a known attack campaign?

Yes — @demica/shared is associated with the IN-MAL-2026-005010 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect @demica/shared in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking @demica/shared and packages like it before any post-install script runs.

Malicious package

@demica/sharednpm

Malicious code in @demica/shared (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5351

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall @demica/shared

What this malware does

Note: This report is updated by a verification record

Dep-confusion squat of internal @demica/shared at sentinel high version 99.99.100 + auto-exec postinstall (canary.js) beaconing to RAW IP 157.230.17.236:80/dc. Sentinel-high-version + auto-exec beacon = MALICIOUS per operator policy (c913); "authorized canary" framing does NOT downgrade, raw-IP dest matches masterkrweb. 6-pkg @demica canary campaign.

@demica/[email protected] declares postinstall: node canary.js postinstall in package.json, which fires automatically on npm install. canary.js issues a plaintext HTTP GET to bare IP 157.230.17.236:80 at path /dc?... with query parameters including os.hostname(), the package name/version, a nonce, and the lifecycle phase. The installer's host identifier is disclosed to a third-party endpoint over unauthenticated HTTP without consent. The package self-describes as a 'dependency-confusion canary' and uses an inflated version (99.99.100) under the @demica scope to outrank a presumed internal package of the same name — the canonical dependency-confusion attack shape. Regardless of the operator's stated intent, any party that resolves this public package on npm install is beaconed to an attacker-shaped destination (bare IP, plaintext HTTP, no opt-out).

Malicious versions

1 flagged

99.99.100

Indicators of compromise (SHA-256)

dfc020ab633bac129072df0d74deea8e0a2e118b43dbebf01ba9bbf2b13b6e76

Frequently asked questions

No. @demica/shared on npm has been identified as a malicious package (version 99.99.100 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-005010

References

Credits

Amazon Inspector · finder
SafeDep · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection