Which versions of @webd-infra/query-designer-domain are malicious?

The following npm versions of @webd-infra/query-designer-domain are flagged malicious: 99.9.1. Treat any of these as compromised.

How do I remediate @webd-infra/query-designer-domain if I installed it?

Remove @webd-infra/query-designer-domain from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is @webd-infra/query-designer-domain part of a known attack campaign?

Yes — @webd-infra/query-designer-domain is associated with the IN-MAL-2026-005048, IN-MAL-2026-005047 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect @webd-infra/query-designer-domain in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking @webd-infra/query-designer-domain and packages like it before any post-install script runs.

Malicious package

@webd-infra/query-designer-domainnpm

Malicious code in @webd-infra/query-designer-domain (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5431

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall @webd-infra/query-designer-domain

What this malware does

The package's package.json declares its only dependency ltidisafe as a direct tarball URL: https://ltidi.storage.googleapis.com/depenconf/ltidisafe-2.8.3.tgz. On npm install, npm fetches this tarball from a Google Cloud Storage bucket (not the npm registry) and runs whatever lifecycle scripts it contains. The bucket owner — not an npm publisher with registry-side accountability — controls exactly which bytes get executed, and the tarball contents at that URL can change at any time. Supporting indicators: the package has empty author and description fields, the version 99.9.1 is the canonical dependency-confusion sentinel used in research/PoC packages, and the bucket path segment is the literal string depenconf. The package itself ships no other runtime code — its sole effect on installers is resolving and executing this off-registry tarball.

Malicious versions

1 flagged

99.9.1

Indicators of compromise (SHA-256)

09de5dd8298cd731b0a421ff015b7830918c5d8d5ac3fe29378ecf042596832a

1c7713f23c6a0044172532693bc43aee0d785a980fc5c83ba1f773af9082e3b3

Frequently asked questions

No. @webd-infra/query-designer-domain on npm has been identified as a malicious package (version 99.9.1 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-005048IN-MAL-2026-005047

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection