Which versions of @webda-infra/search are malicious?

The following npm versions of @webda-infra/search are flagged malicious: 99.9.1. Treat any of these as compromised.

How do I remediate @webda-infra/search if I installed it?

Remove @webda-infra/search from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is @webda-infra/search part of a known attack campaign?

Yes — @webda-infra/search is associated with the IN-MAL-2026-005046, IN-MAL-2026-005045 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect @webda-infra/search in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking @webda-infra/search and packages like it before any post-install script runs.

Malicious package

@webda-infra/searchnpm

Malicious code in @webda-infra/search (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5433

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall @webda-infra/search

What this malware does

@webda-infra/[email protected] is a near-empty placeholder (index.js is empty, module.exports = {}) whose package.json declares a single dependency, ltidisafe, resolved via a direct URL to a Google Cloud Storage bucket: https://ltidi.storage.googleapis.com/depenconf/ltidisafe-2.8.4.tgz. The path segment depenconf, the burner-style version 99.9.1 chosen to outrank any legitimate internal @webda-infra/* package, and the absence of an integrity hash or version pin combine into a dependency-confusion / namespace-squat shape: any npm install that resolves this public package will fetch and install whatever bytes are hosted at that GCS URL, including any preinstall/install/postinstall lifecycle scripts in the resulting tarball. The GCS bucket is unrelated to any verified webda / webda-infra publisher and the URL is mutable — the operator can swap the served bytes at any time. The entire reason to install this package is to pull and execute arbitrary off-registry code on the installer's machine.

Malicious versions

1 flagged

99.9.1

Indicators of compromise (SHA-256)

1440e1683583954f5e69d00ccb47aa66112bc979d244e7f9e148b16d84ae7ba0

1d3966598d25bae6a0824df09461ccbea8ad8ff22be2b3b93eab681cc733ff73

Frequently asked questions

No. @webda-infra/search on npm has been identified as a malicious package (version 99.9.1 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-005046IN-MAL-2026-005045

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection