Which versions of @webapp-next/store are malicious?

The following npm versions of @webapp-next/store are flagged malicious: 91.1.0. Treat any of these as compromised.

How do I remediate @webapp-next/store if I installed it?

@webapp-next/store is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.

I already installed @webapp-next/store — how do I know if it already compromised me?

If @webapp-next/store was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is @webapp-next/store part of a known attack campaign?

Yes — @webapp-next/store is associated with the IN-MAL-2026-002798, IN-MAL-2026-002735 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find @webapp-next/store across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for @webapp-next/store (version 91.1.0). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging @webapp-next/store across your stack and pipelines.

Malicious package

@webapp-next/storenpm

Malicious code in @webapp-next/store (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-3749

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall @webapp-next/store

What this malware does

package.json declares "preinstall": "node index.js", which runs automatically on npm install. index.js collects os.hostname(), os.platform(), os.arch(), os.homedir(), os.userInfo() (username, uid, gid, shell), OS release/memory/CPU info, process.cwd(), and the output of shell commands whoami and id, then POSTs the aggregated JSON to https://oia2jeijtfmt053ynp686t5riioac00p.oastify.com/testbydext. The destination is a Burp Suite Collaborator out-of-band interaction subdomain controlled by the attacker. The package has no legitimate functionality — index.js contains only the exfiltration payload, and package.json carries empty author/description fields under a scope (@webapp-next) that resembles a legitimate namespace, consistent with a dependency-confusion lure.

Malicious versions

1 flagged

91.1.0

Indicators of compromise (SHA-256)

caf033fac1ae50b98e1a222c76831e7012e140234a28dd7e8d0a41a55cf388f7

cbad3803cdda40845fe2aa64e0963b9293f9ee523b3f9205a354da2ae1e317bf

Detection & response playbook

Credential / info stealer

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for @webapp-next/store (version 91.1.0). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging @webapp-next/store across your stack and pipelines.
If you installed it — respond
@webapp-next/store is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.
Did it already run?
If @webapp-next/store was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks @webapp-next/store before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. @webapp-next/store on npm has been identified as a malicious package (version 91.1.0 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-002798IN-MAL-2026-002735

References

npmjs.com

Credits

Amazon Inspector · finder

Detect & block this

O3 blocks @webapp-next/store-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.

Malware detection Runtime egress monitoring