Which versions of commons-ui-styles are malicious?

The following npm versions of commons-ui-styles are flagged malicious: 99.9.1. Treat any of these as compromised.

How do I remediate commons-ui-styles if I installed it?

Remove commons-ui-styles from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is commons-ui-styles part of a known attack campaign?

Yes — commons-ui-styles is associated with the IN-MAL-2026-005038, IN-MAL-2026-005037 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect commons-ui-styles in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking commons-ui-styles and packages like it before any post-install script runs.

Malicious package

commons-ui-stylesnpm

Malicious code in commons-ui-styles (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5437

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall commons-ui-styles

What this malware does

[email protected] is an empty placeholder package (index.js exports {}, description/author blank, version bumped to 99.9.1 — the classic dependency-confusion override shape) whose only on-install effect is dependency resolution. Its package.json declares a transitive dependency ltidisafe resolved from a hardcoded non-registry tarball URL (https://ltidi.storage.googleapis.com/depenconf/ltidisafe-2.9.6.tgz) on a Google Cloud Storage bucket. The path segment literally contains depenconf, indicating dependency-confusion tooling. On npm install commons-ui-styles, npm fetches whatever bytes that bucket currently serves and installs them as a dependency; any preinstall/install/postinstall lifecycle scripts in the fetched tarball run on the installer's host. The bucket owner controls the payload contents at any time, with no version pinning to the npm registry, no integrity check beyond what npm computes against the live download, and no relationship to a documented publisher.

Malicious versions

1 flagged

99.9.1

Indicators of compromise (SHA-256)

0e7b193f10d4887360722fe1f0898f3bf456faceeaf7e7c6be801c6fc45d7d77

8b9fb701d18bde61d1dc783f0575a4d83bc0eba2653bd0832d0fc26bc9e85b48

Frequently asked questions

No. commons-ui-styles on npm has been identified as a malicious package (version 99.9.1 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-005038IN-MAL-2026-005037

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection