Which versions of @payment-review/store are malicious?

The following npm versions of @payment-review/store are flagged malicious: 99.0.0, 99.0.1. Treat any of these as compromised.

How do I remediate @payment-review/store if I installed it?

Remove @payment-review/store from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is @payment-review/store part of a known attack campaign?

Yes — @payment-review/store is associated with the IN-MAL-2026-005081, IN-MAL-2026-005080, IN-MAL-2026-005137, IN-MAL-2026-005136 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect @payment-review/store in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking @payment-review/store and packages like it before any post-install script runs.

Malicious package

@payment-review/storenpm

Malicious code in @payment-review/store (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5427

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall @payment-review/store

What this malware does

package.json declares preinstall: node index.js || true, so installing the package automatically runs index.js on npm install. The script collects host identity fields — os.hostname(), os.userInfo().username, __dirname, process.cwd(), and the package id — serializes them as JSON, and exfiltrates them via two channels: (1) an HTTP POST to the hardcoded bare IP http://172.201.213.59:9090/c, and (2) a hex-encoded DNS resolution against a subdomain of d8jbmnsqcfu78dfs8vdg34ohqhirb4pbg.oast.live (Interactsh out-of-band exfiltration). The package metadata (@payment-review/store, version 99.0.0, description security research, no real functionality) matches the dependency-confusion shape: a high version number under a target-org-styled scope intended to override an internal private package of the same name. Installing this package leaks the installer's host and user identity to attacker-controlled infrastructure with no user consent.

Malicious versions

2 flagged

99.0.099.0.1

Indicators of compromise (SHA-256)

0d4410dd7531b8073ca94b67e1f378c1384acfe969b9b8a12ed934be962b1565

16277824e707bfa5d164fe338408172b64a7e3c02ee6669b1391b8ad1ae41965

98ffd07a5d66d1101647686e7de8afd31b09a0af01aa3118a9de460089751408

2d624eaefbb0245bf0c9a7b598c461a3ba5ec48005cfec223898062741ef8c2e

Frequently asked questions

No. @payment-review/store on npm has been identified as a malicious package (versions 99.0.0, 99.0.1 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-005081IN-MAL-2026-005080IN-MAL-2026-005137IN-MAL-2026-005136

References

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection