Which versions of @klapp-otp/routes are malicious?

The following npm versions of @klapp-otp/routes are flagged malicious: 99.0.0, 99.0.1. Treat any of these as compromised.

How do I remediate @klapp-otp/routes if I installed it?

Remove @klapp-otp/routes from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is @klapp-otp/routes part of a known attack campaign?

Yes — @klapp-otp/routes is associated with the IN-MAL-2026-005100, IN-MAL-2026-005099, IN-MAL-2026-005157, IN-MAL-2026-005156 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect @klapp-otp/routes in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking @klapp-otp/routes and packages like it before any post-install script runs.

Malicious package

@klapp-otp/routesnpm

Malicious code in @klapp-otp/routes (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5416

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall @klapp-otp/routes

What this malware does

On npm install, this package auto-executes index.js via the preinstall lifecycle hook. The script collects os.hostname(), os.userInfo(), __dirname, process.cwd(), and the package name, then exfiltrates them through two channels: (1) a hex-encoded DNS A-record query to <encoded>.d8jbmnsqcfu78dfs8vdg34ohqhirb4pbg.oast.live (an interactsh out-of-band collector), and (2) an HTTP POST of the same JSON payload to http://172.201.213.59:9090/c. Both channels fire unconditionally on install, leaking installer identity to attacker-controlled infrastructure. The package metadata reinforces the dependency-confusion / namespace-squat shape: scope @klapp-otp with version 99.0.0 and the description string security research, paired with no legitimate functionality in the tarball.

Malicious versions

2 flagged

99.0.099.0.1

Indicators of compromise (SHA-256)

3701ac552bd704a6c763558749e69755eadea825b90f0b0e51be120ed8bf2c01

6eebbab7c031083ae325b2262558bb759840f96f356a54ac3df3b5e1fa70ae75

8d3143a25bca88550c73189b84085b9a8770cace00d02790eb6c17520350f0bd

9246974efd1a626094dd3f2027df2e8f1468ce45ebcba42e5207a06c5c9e16ee

Frequently asked questions

No. @klapp-otp/routes on npm has been identified as a malicious package (versions 99.0.0, 99.0.1 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-005100IN-MAL-2026-005099IN-MAL-2026-005157IN-MAL-2026-005156

References

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection