Which versions of @klapp-about/routes are malicious?

The following npm versions of @klapp-about/routes are flagged malicious: 99.0.0, 99.0.1, 99.0.2. Treat any of these as compromised.

How do I remediate @klapp-about/routes if I installed it?

Remove @klapp-about/routes from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is @klapp-about/routes part of a known attack campaign?

Yes — @klapp-about/routes is associated with the IN-MAL-2026-005097, IN-MAL-2026-005074, IN-MAL-2026-005073, IN-MAL-2026-005098, IN-MAL-2026-005138, IN-MAL-2026-005139 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect @klapp-about/routes in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking @klapp-about/routes and packages like it before any post-install script runs.

Malicious package

@klapp-about/routesnpm

Malicious code in @klapp-about/routes (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5411

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall @klapp-about/routes

What this malware does

On npm install, the package's preinstall hook (node index.js) collects host and user identity data — os.hostname(), os.userInfo().username, __dirname, process.cwd(), pid, node version, platform, and architecture — and ships them to two attacker-controlled destinations: (a) an HTTP POST to a bare IP http://172.201.213.59:9090/cb/klapp-about-routes carrying the collected fields as JSON, and (b) a hex-encoded DNS lookup to *.d8jbmnsqcfu78dfs8vdg34ohqhirb4pbg.oast.live (interactsh out-of-band callback). The package name @klapp-about/routes and the unusually high version 99.0.0 are the canonical shape of a dependency-confusion attack — an internal-looking scope published to public npm at a version high enough to override a private resolver. Self-description as a 'security research / dependency-confusion PoC' does not change installer-side impact: any developer or CI system that misroutes installs to the public registry has their machine fingerprint shipped to the hardcoded IP and DNS callback service without consent.

Malicious versions

3 flagged

99.0.099.0.199.0.2

Indicators of compromise (SHA-256)

3a89d8d92c1d5303d17c64a14353dfd86d738d620129a830af3684b6ab2e2167

99d2936e8940c6e62254cb8aefb5220dad856de80e50243788f3282e17035c10

dd5d030db916b2c1fcac6ca8ebaa5415eae8a32ad67a5104b78a17d535111a10

fbc76fb74ca69f4553d9ffdb5b337805879b2a9d689fef836fb3b23e18a34482

715f07e0a1984fc9eb7d6432fc2491b08139755426b3c8905ba2d9274e2d4875

d37bd4622a778532f5476c87ebbe915d7d07d5ae30bf817d52ebdad17154c789

Frequently asked questions

No. @klapp-about/routes on npm has been identified as a malicious package (versions 99.0.0, 99.0.1, 99.0.2 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-005097IN-MAL-2026-005074IN-MAL-2026-005073IN-MAL-2026-005098IN-MAL-2026-005138IN-MAL-2026-005139

References

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection