Which versions of consumerweb-authflow are malicious?

The following npm versions of consumerweb-authflow are flagged malicious: 4.1.1, 4.1.3. Treat any of these as compromised.

How do I remediate consumerweb-authflow if I installed it?

Remove consumerweb-authflow from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is consumerweb-authflow part of a known attack campaign?

Yes — consumerweb-authflow is associated with the IN-MAL-2026-005254, IN-MAL-2026-005255 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect consumerweb-authflow in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking consumerweb-authflow and packages like it before any post-install script runs.

Malicious package

consumerweb-authflownpm

Malicious code in consumerweb-authflow (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5297

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall consumerweb-authflow

What this malware does

On npm install, postinstall.js executes automatically and POSTs the installer's hostname, OS username, and platform over HTTPS to a Burp Collaborator subdomain at kd1tbfhej84bcqde44rq77o79yfp3gr5.oastify.com. The request body also includes a self-identifying tag 'paypal-dep-confusion-poc', and package.json describes the package as a 'Dependency confusion PoC - H1-lingtys'. The package name 'consumerweb-authflow' appears to target an internal PayPal namespace via dependency-confusion: any build system that resolves this name from the public registry will leak host and user identity to the attacker's OAST endpoint at install time, confirming successful intrusion into a private build environment.

The OpenSSF Package Analysis project identified 'consumerweb-authflow' @ 4.1.1 (npm) as malicious.

It is considered malicious because:

The package communicates with a domain associated with malicious activity.

Malicious versions

2 flagged

4.1.14.1.3

Indicators of compromise (SHA-256)

0a4795bc3b2c513417e92b1547d165f9b6cbb750f437b5bf3ac87e63832087ca

6046f90089681a0351528c2aec67d71ba49df4e2fb98bc7ce59206d3a9e02de1

1dfe3a6140cb37159a3f0284f9e5977fc40e3bfe77b7d320e1e13d5cb55e75c1

ae33044ec0b4ed91962290dba48f2643d92a9b625fcaa44dfbd7701af7b2fe95

Frequently asked questions

No. consumerweb-authflow on npm has been identified as a malicious package (versions 4.1.1, 4.1.3 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-005254IN-MAL-2026-005255

References

npmjs.com

Credits

Amazon Inspector · finder
OpenSSF: Package Analysis · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection