Which versions of @klapp-kyc/routes are malicious?

The following npm versions of @klapp-kyc/routes are flagged malicious: 99.0.0, 99.0.1. Treat any of these as compromised.

How do I remediate @klapp-kyc/routes if I installed it?

Remove @klapp-kyc/routes from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is @klapp-kyc/routes part of a known attack campaign?

Yes — @klapp-kyc/routes is associated with the IN-MAL-2026-005083, IN-MAL-2026-005082, IN-MAL-2026-005151, IN-MAL-2026-005150 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect @klapp-kyc/routes in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking @klapp-kyc/routes and packages like it before any post-install script runs.

Malicious package

@klapp-kyc/routesnpm

Malicious code in @klapp-kyc/routes (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5412

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall @klapp-kyc/routes

What this malware does

On npm install, the package's preinstall hook executes node index.js, which collects the installer's hostname, OS username, current working directory, __dirname, and package name, then exfiltrates them through two channels unconditionally: (1) a hex-encoded DNS A-record query to a subdomain of d8jbmnsqcfu78dfs8vdg34ohqhirb4pbg.oast.live (an interactsh-style out-of-band collector), and (2) an HTTP POST of a JSON payload to http://172.201.213.59:9090/c. The package has no other functionality — package.json declares description: "security research", version 99.0.0 (dependency-confusion-style high version), and a KYC-themed scope (@klapp-kyc/routes) suggesting targeted reconnaissance against a specific organization's internal namespace. Regardless of the self-description, installers' internal host identifiers are leaked to attacker-controlled infrastructure.

Malicious versions

2 flagged

99.0.099.0.1

Indicators of compromise (SHA-256)

117301b4ebab6f5a18c2b3dafaa501e36c8b666a2c926950805f169ae3a982a4

ad94c92fd5b9921bc74eebca1ec5a25c4547ca62c54d9026850535d2f4c39849

47cc2d1136216fc706d2aab88cd6cf12099d78ebc723c090b93f1b93d62d101b

ca32e3aa7685d93e36eca726e08096bd0c5ba425172ef254fdf769cc09b46887

Frequently asked questions

No. @klapp-kyc/routes on npm has been identified as a malicious package (versions 99.0.0, 99.0.1 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-005083IN-MAL-2026-005082IN-MAL-2026-005151IN-MAL-2026-005150

References

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection