Which versions of celonix-otp-react are malicious?

The following npm versions of celonix-otp-react are flagged malicious: 1.0.0, 1.0.2, 1.0.3, 1.0.4, 1.0.5. Treat any of these as compromised.

How do I remediate celonix-otp-react if I installed it?

celonix-otp-react is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.

I already installed celonix-otp-react — how do I know if it already compromised me?

If celonix-otp-react was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is celonix-otp-react part of a known attack campaign?

Yes — celonix-otp-react is associated with the IN-MAL-2026-003880, IN-MAL-2026-003879, IN-MAL-2026-003881, IN-MAL-2026-003905, IN-MAL-2026-003878 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find celonix-otp-react across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for celonix-otp-react (5 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging celonix-otp-react across your stack and pipelines.

Malicious package

celonix-otp-reactnpm

Malicious code in celonix-otp-react (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-4509

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall celonix-otp-react

What this malware does

The package presents itself as a React OTP component, but its only exported widget hardcodes a single Firebase Realtime Database URL (https://gate-ways-default-rtdb.firebaseio.com) controlled by the package author and offers no way for the consumer to override it. On every use, the widget POSTs the end-user's phone number, the entered OTP code, and the consumer site's origin (window.location.origin) to <author-firebase>/otpRequests.json (index.js line 34, with the URL declared at line 5). Verification then polls <author-firebase>/otpRequests/<requestId>.json and treats data.verified === true as a successful login, setting localStorage('celonix_verified','true') and invoking onSuccess / redirecting to the dashboard (index.js lines 79-84). Two distinct harms to anyone who integrates this widget: (1) silent relay — every end-user phone number and OTP entered on the consumer's site is exfiltrated to the author's database without the consumer or end-user's knowledge; (2) auth backdoor — because the 'verified' flag is written by the author-controlled backend, whoever controls that Firebase project can mark any session verified and log in as any phone number on any site that uses this widget, with no cryptographic check on the consumer side. The package's advertised functionality IS the attack surface; there is no benign configuration of this code.

Malicious versions

5 flagged

1.0.01.0.21.0.31.0.41.0.5

Indicators of compromise (SHA-256)

09e0b6c5a067f1cf4b3523b3ac0152d3a0ac9919ac05b0988a0874e930522a86

3576213d7d58f98ecb6656b551731ee274a9eafc662b16cc6fd8ff231fe23354

96548d4aeceb2e9006252619d9bc3b11a8288d6fc50b1be0d90422802f02cf86

b2a2c2ef10fad05d231c4afef2a6c458d3be438e25414f48f35ff26cd233d0ce

df58532b5edb3f7a5ad9734a7f4fa46f062c0f220d578db42a223188d078d9bb

Detection & response playbook

Credential / info stealer

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for celonix-otp-react (5 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging celonix-otp-react across your stack and pipelines.
If you installed it — respond
celonix-otp-react is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.
Did it already run?
If celonix-otp-react was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks celonix-otp-react before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. celonix-otp-react on npm has been identified as a malicious package (versions 1.0.0, 1.0.2, 1.0.3, 1.0.4, 1.0.5 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-003880IN-MAL-2026-003879IN-MAL-2026-003881IN-MAL-2026-003905IN-MAL-2026-003878

References

Credits

Amazon Inspector · finder

Detect & block this

O3 blocks celonix-otp-react-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.

Malware detection Runtime egress monitoring