Which versions of @listings/energy-labels are malicious?

The following npm versions of @listings/energy-labels are flagged malicious: 99.0.0, 99.0.1. Treat any of these as compromised.

How do I remediate @listings/energy-labels if I installed it?

Remove @listings/energy-labels from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is @listings/energy-labels part of a known attack campaign?

Yes — @listings/energy-labels is associated with the IN-MAL-2026-005088, IN-MAL-2026-005134, IN-MAL-2026-005135 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect @listings/energy-labels in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking @listings/energy-labels and packages like it before any post-install script runs.

Malicious package

@listings/energy-labelsnpm

Malicious code in @listings/energy-labels (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5327

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall @listings/energy-labels

What this malware does

The package declares "preinstall": "node index.js || true" in package.json, so on every npm install the script executes automatically and silently swallows errors. index.js collects host identity (os.hostname(), os.userInfo().username, __dirname, process.cwd(), package label), hex-encodes the JSON payload as a DNS subdomain of d8jbmnsqcfu78dfs8vdg34ohqhirb4pbg.oast.live (an out-of-band interaction service used for exfiltration), and additionally POSTs the same payload over plain HTTP to a hardcoded bare IP http://172.201.213.59:9090/c. There is no TLS, no authentication, no documented purpose, and the bare-IP plus OOB DNS pattern is consistent with dependency-confusion / supply-chain reconnaissance infrastructure. Installer machines are fingerprinted and reported to the attacker on install with no user consent.

The OpenSSF Package Analysis project identified '@listings/energy-labels' @ 99.0.1 (npm) as malicious.

It is considered malicious because:

The package communicates with a domain associated with malicious activity.

Malicious versions

2 flagged

99.0.099.0.1

Indicators of compromise (SHA-256)

4df629d1450770515d9dc9346d52b9b728dbaab01bbf64a4bb5c17563dcc6991

c7a6ad6a5c1f36077f116e189769ad92bac4bfeecb7a893df22cbc71577d3142

41caac3ab1f9c35a72841357174aeeec16c142c08cc28030a875b2dba85f04ba

74d56d725efc1fa5aeb50fa7308a150e4a7b84357445a6d097ed3ea73b31fbc7

Frequently asked questions

No. @listings/energy-labels on npm has been identified as a malicious package (versions 99.0.0, 99.0.1 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-005088IN-MAL-2026-005134IN-MAL-2026-005135

References

Credits

Amazon Inspector · finder
OpenSSF: Package Analysis · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection