Which versions of corporate-front-vue are malicious?

The following npm versions of corporate-front-vue are flagged malicious: 99.9.1. Treat any of these as compromised.

How do I remediate corporate-front-vue if I installed it?

Remove corporate-front-vue from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is corporate-front-vue part of a known attack campaign?

Yes — corporate-front-vue is associated with the IN-MAL-2026-005036, IN-MAL-2026-005035 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect corporate-front-vue in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking corporate-front-vue and packages like it before any post-install script runs.

Malicious package

corporate-front-vuenpm

Malicious code in corporate-front-vue (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5438

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall corporate-front-vue

What this malware does

[email protected] is a near-empty shim (index.js exports an empty object) whose only meaningful content is a tarball-URL dependency declared in package.json: "ltidisafe": "https://ltidi.storage.googleapis.com/depenconf/ltidisafe-2.9.7.tgz". On npm install, npm fetches and installs that tarball directly from an arbitrary Google Cloud Storage bucket — bypassing npm registry review — and executes whatever lifecycle scripts and code it contains on the installer's machine. The package metadata reinforces the dependency-confusion shape: version 99.9.1 (a classic high-overshoot designed to outrank an internal-registry package of the same name), empty description, empty author, default ISC license. The path segment depenconf in the tarball URL further matches the dependency-confusion pattern. The registry-visible package exists solely as a loader for non-registry, attacker-controlled bytes.

Malicious versions

1 flagged

99.9.1

Indicators of compromise (SHA-256)

97f5749ef14c0d24376c094ef5d1b19fa0d03a2729b61f4a170b21dc0c876f91

d26a235f294aacb3800465f89db0f33ecb54f09da450ee98543f8b039249fc12

Frequently asked questions

No. corporate-front-vue on npm has been identified as a malicious package (version 99.9.1 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-005036IN-MAL-2026-005035

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection