Which versions of @klapp-login-platform/native-sdk are malicious?

The following npm versions of @klapp-login-platform/native-sdk are flagged malicious: 99.0.0, 99.0.2. Treat any of these as compromised.

How do I remediate @klapp-login-platform/native-sdk if I installed it?

Remove @klapp-login-platform/native-sdk from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is @klapp-login-platform/native-sdk part of a known attack campaign?

Yes — @klapp-login-platform/native-sdk is associated with the IN-MAL-2026-005069, IN-MAL-2026-005070, IN-MAL-2026-005126, IN-MAL-2026-005127 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect @klapp-login-platform/native-sdk in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking @klapp-login-platform/native-sdk and packages like it before any post-install script runs.

Malicious package

@klapp-login-platform/native-sdknpm

Malicious code in @klapp-login-platform/native-sdk (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5413

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall @klapp-login-platform/native-sdk

What this malware does

On npm install, the package's preinstall lifecycle hook runs node index.js, which collects installer-side identifiers — os.hostname(), os.userInfo().username, __dirname, process.cwd(), and the package name — and exfiltrates them through two channels. First, the JSON payload is hex-encoded into DNS labels and resolved under *.d8jbmnsqcfu78dfs8vdg34ohqhirb4pbg.oast.live, an out-of-band collector. Second, the same JSON is POSTed to a bare IP http://172.201.213.59:9090/c. Neither destination matches any documented vendor SDK endpoint. The package metadata reinforces malicious intent: the scope @klapp-login-platform resembles an internal namespace, the description is security research, and the version 99.0.2 is inflated to win dependency-confusion resolution against a private package. Installing the package immediately leaks host identity to attacker-controlled infrastructure.

Malicious versions

2 flagged

99.0.099.0.2

Indicators of compromise (SHA-256)

3b3bc8633d15b44abc90074d3362fd9399f53d10a88e24264caee9d924a72bb6

4ae85072d8a51ca0d5080df8308f6bdc17112f8245cb5524e8419bb7dadf71bf

1a1c21c478fd309e16577b1d023bcc82834075d2b8f6b27ef867764c7db7c3f6

e8695fc1070f506a7aba7fc8895f25d14477e685da821196df6b59b027b65db0

Frequently asked questions

No. @klapp-login-platform/native-sdk on npm has been identified as a malicious package (versions 99.0.0, 99.0.2 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-005069IN-MAL-2026-005070IN-MAL-2026-005126IN-MAL-2026-005127

References

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection