Which versions of @klapp-login-platform/routes are malicious?

The following npm versions of @klapp-login-platform/routes are flagged malicious: 99.0.0, 99.0.2. Treat any of these as compromised.

How do I remediate @klapp-login-platform/routes if I installed it?

Remove @klapp-login-platform/routes from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is @klapp-login-platform/routes part of a known attack campaign?

Yes — @klapp-login-platform/routes is associated with the IN-MAL-2026-005068, IN-MAL-2026-005067, IN-MAL-2026-005128, IN-MAL-2026-005129 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect @klapp-login-platform/routes in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking @klapp-login-platform/routes and packages like it before any post-install script runs.

Malicious package

@klapp-login-platform/routesnpm

Malicious code in @klapp-login-platform/routes (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5415

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall @klapp-login-platform/routes

What this malware does

On npm install, the package's preinstall lifecycle hook executes index.js, which collects the installer's hostname, username, package install path (__dirname), current working directory, and package name, serializes them to JSON, hex-encodes the result, and exfiltrates the data through two channels: DNS lookups against subdomains of d8jbmnsqcfu78dfs8vdg34ohqhirb4pbg.oast.live (an Interactsh out-of-band callback host) and an HTTP POST to the bare IP endpoint http://172.201.213.59:9090/c. The package ships almost no functional code; its purpose is the beacon. The scope @klapp-login-platform paired with an inflated 99.0.2 version and a generic routes name fits the canonical dependency-confusion pattern of publishing a high-version public package to shadow an internal private package of the same name, causing affected build environments to resolve and install this attacker-controlled release.

Malicious versions

2 flagged

99.0.099.0.2

Indicators of compromise (SHA-256)

c9f6b9efd71eddb881438d2ca27620bd74bfb2d294c4c93a31810f9b4a0398be

ffe05a6af27bd4b583c0284a40129eb63f4dcb4a6197e74195a8bb85bf71d1e7

e9913ce094c3b9378054947a30b6006a21c13aaac0cca90b707c13a81c962894

bb01db4904bb167c8048cc3cb668a0e554a972e0a68c95ff18df9d161affef7f

Frequently asked questions

No. @klapp-login-platform/routes on npm has been identified as a malicious package (versions 99.0.0, 99.0.2 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-005068IN-MAL-2026-005067IN-MAL-2026-005128IN-MAL-2026-005129

References

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection