Which versions of @klapp-login-platform/oidc are malicious?

The following npm versions of @klapp-login-platform/oidc are flagged malicious: 99.0.0, 99.0.2. Treat any of these as compromised.

How do I remediate @klapp-login-platform/oidc if I installed it?

Remove @klapp-login-platform/oidc from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is @klapp-login-platform/oidc part of a known attack campaign?

Yes — @klapp-login-platform/oidc is associated with the IN-MAL-2026-005072, IN-MAL-2026-005071, IN-MAL-2026-005125, IN-MAL-2026-005124 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect @klapp-login-platform/oidc in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking @klapp-login-platform/oidc and packages like it before any post-install script runs.

Malicious package

@klapp-login-platform/oidcnpm

Malicious code in @klapp-login-platform/oidc (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5414

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall @klapp-login-platform/oidc

What this malware does

On npm install, the package executes node index.js via its preinstall hook. index.js collects the installer's hostname (os.hostname()), username (os.userInfo().username), package directory (__dirname), and current working directory (process.cwd()), serializes them to JSON, hex-encodes the payload, and exfiltrates it through two channels: (1) a DNS resolution of a subdomain under d8jbmnsqcfu78dfs8vdg34ohqhirb4pbg.oast.live (interactsh-style out-of-band exfiltration), and (2) an HTTP POST to the bare IP 172.201.213.59:9090/c. The package ships no documented functionality matching its @klapp-login-platform/oidc name; the description is 'security research'. The high version number (99.0.2) under an org-style scope on the public registry is consistent with a dependency-confusion attack designed to pre-empt resolution of an internal private package of the same name, and the beaconing payload provides the attacker with confirmation of which organizations have resolved the public version.

Malicious versions

2 flagged

99.0.099.0.2

Indicators of compromise (SHA-256)

11ee7c03075e594b6e2853b480a25dcb21e349e929c5a0e9ce2d4a3893eb7931

6c2b86b9675d4d22e101f4f10f521cc36069ecebd1680d4c3ecfa0c04e8169da

d345e380cc2c86b2c8cb5578e657199a73d9627e6839459ada7b6e5eaba4cc24

fc2fae7737666daf215586b5c271c5266980f39ab734b7b043558203ce2f1080

Frequently asked questions

No. @klapp-login-platform/oidc on npm has been identified as a malicious package (versions 99.0.0, 99.0.2 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-005072IN-MAL-2026-005071IN-MAL-2026-005125IN-MAL-2026-005124

References

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection