Which versions of @riskine-frontend/design-elements are malicious?

The following npm versions of @riskine-frontend/design-elements are flagged malicious: 99.9.1. Treat any of these as compromised.

How do I remediate @riskine-frontend/design-elements if I installed it?

Remove @riskine-frontend/design-elements from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound activity or persistence.

I already installed @riskine-frontend/design-elements — how do I know if it already compromised me?

If @riskine-frontend/design-elements was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is @riskine-frontend/design-elements part of a known attack campaign?

Yes — @riskine-frontend/design-elements is associated with the IN-MAL-2026-003474, IN-MAL-2026-003475 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find @riskine-frontend/design-elements across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for @riskine-frontend/design-elements (version 99.9.1). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging @riskine-frontend/design-elements across your stack and pipelines.

Malicious package

@riskine-frontend/design-elementsnpm

Malicious code in @riskine-frontend/design-elements (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-4425

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall @riskine-frontend/design-elements

What this malware does

@riskine-frontend/[email protected] is a near-empty package whose only effect on install is to pull an external dependency. index.js contains just module.exports = {}, package.json has placeholder metadata (empty description, empty author, no repository), and the version is inflated to 99.9.1 — the canonical shape of a dependency-confusion squat designed to win npm version resolution against an internal package of the same scoped name. Its single dependency ltidisafe is resolved not from the npm registry but from an arbitrary tarball URL https://ltidi.storage.googleapis.com/depenconf/ltidisafe-2.4.2.tgz — note the literal depenconf/ (dependency confusion) folder name. Installing this package causes npm to fetch and install that external GCS-hosted tarball, executing any lifecycle scripts it declares on the installer's machine. The combination of inflated version + empty wrapper + external non-registry tarball + depenconf path is unambiguous attacker tradecraft against Riskine's internal build systems.

Malicious versions

1 flagged

99.9.1

Indicators of compromise (SHA-256)

307db7b976bd8c59b1e8e8247fee9f91ab6a353bf0ae6aa129ceb8e552d6814c

d1d62d8ac53ddc44a1981386cc1fa409d52dabe22b1e5b9e73b8d3c36c9e4170

Detection & response playbook

Malicious package

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for @riskine-frontend/design-elements (version 99.9.1). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging @riskine-frontend/design-elements across your stack and pipelines.
If you installed it — respond
Remove @riskine-frontend/design-elements from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound activity or persistence.
Did it already run?
If @riskine-frontend/design-elements was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks @riskine-frontend/design-elements before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. @riskine-frontend/design-elements on npm has been identified as a malicious package (version 99.9.1 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-003474IN-MAL-2026-003475

References

npmjs.com

Credits

Amazon Inspector · finder

Detect & block this

O3 blocks @riskine-frontend/design-elements-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the malicious outbound activity and severs the channel.

Malware detection Runtime egress monitoring