Which versions of @design-system-coopeuch/web are malicious?

The following npm versions of @design-system-coopeuch/web are flagged malicious: 999.0.0, 999.0.4. Treat any of these as compromised.

How do I remediate @design-system-coopeuch/web if I installed it?

@design-system-coopeuch/web is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.

I already installed @design-system-coopeuch/web — how do I know if it already compromised me?

If @design-system-coopeuch/web was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is @design-system-coopeuch/web part of a known attack campaign?

Yes — @design-system-coopeuch/web is associated with the IN-MAL-2026-002780, IN-MAL-2026-002778, IN-MAL-2026-002748, IN-MAL-2026-002749, IN-MAL-2026-002779 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find @design-system-coopeuch/web across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for @design-system-coopeuch/web (2 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging @design-system-coopeuch/web across your stack and pipelines.

Malicious package

@design-system-coopeuch/webnpm

Malicious code in @design-system-coopeuch/web (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-3653

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall @design-system-coopeuch/web

What this malware does

Package @design-system-coopeuch/[email protected] is a dependency-confusion squat of an internal-looking scope, published at an inflated 999.x version to override any private registry copy. package.json declares a preinstall hook that runs cb.js, which collects installer host identifiers (os.hostname(), cwd, install directory, id, uname -a, OS release info, and the full list of process.env key names) and POSTs them as JSON over cleartext HTTP to a hardcoded bare IP, http://157.173.126.113:8443/dep-confusion (cb.js line 20: hostname: "157.173.126.113", port: 8443, path: "/dep-confusion", method: "POST"). The beacon fires automatically on npm install without user consent. Although the package description self-labels as an "authorized bug bounty PoC," any unintended installer has their host fingerprint exfiltrated to an attacker-controlled endpoint. The combination of internal-scope impersonation, inflated version, and install-time beacon to a bare IP is the canonical dependency-confusion attack shape.

The OpenSSF Package Analysis project identified '@design-system-coopeuch/web' @ 999.0.0 (npm) as malicious.

It is considered malicious because:

The package executes one or more commands associated with malicious behavior.

Malicious versions

2 flagged

999.0.0999.0.4

Indicators of compromise (SHA-256)

e91609499d64cf31c94ddc3047d4c189c64e8e5f09c3da98cb3fec5c05978823

a871445c3913d747a2f1383bcfdac02d6dec26ddb2053260340284cf4ee02233

a9cb49ff96b31bfe45dc71bbdb2da10deebbce669349ee716dc54ca2bc5730e6

c6a5d517f4c553ff117601cad9013ed774327d5054716118f863158b963f4098

4490514d2a58551410f3fba0ab3425151aab2ec7bdf0490cbd64629032c839eb

9f2dd3bd8d9cb5f43df394f4fd5b3e7673db125dca15b969d6d115cd3f255bca

Detection & response playbook

Credential / info stealer

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for @design-system-coopeuch/web (2 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging @design-system-coopeuch/web across your stack and pipelines.
If you installed it — respond
@design-system-coopeuch/web is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.
Did it already run?
If @design-system-coopeuch/web was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks @design-system-coopeuch/web before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. @design-system-coopeuch/web on npm has been identified as a malicious package (versions 999.0.0, 999.0.4 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-002780IN-MAL-2026-002778IN-MAL-2026-002748IN-MAL-2026-002749IN-MAL-2026-002779

References

Credits

Amazon Inspector · finder
OpenSSF: Package Analysis · finder

Detect & block this

O3 blocks @design-system-coopeuch/web-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.

Malware detection Runtime egress monitoring