Which versions of field-plus are malicious?

The following npm versions of field-plus are flagged malicious: 99.99.1, 99.99.2. Treat any of these as compromised.

How do I remediate field-plus if I installed it?

Remove field-plus from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is field-plus part of a known attack campaign?

Yes — field-plus is associated with the IN-MAL-2026-006492, IN-MAL-2026-006493 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect field-plus in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking field-plus and packages like it before any post-install script runs.

Malicious package

field-plusnpm

Malicious code in field-plus (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5777

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall field-plus

What this malware does

package.json declares both preinstall and postinstall scripts that run curl against a hardcoded bare-IP HTTP endpoint (http://3.7.226.146:9000/callback), sending the installer's username ($(whoami)), hostname ($(hostname)), current working directory ($(pwd)), and a timestamp as query-string parameters. Output is suppressed and errors swallowed with || true so the beacon stays silent during npm install. The tarball ships only package.json — main: index.js is declared but not present — so the package has no library functionality; its sole effect on installation is the identity beacon. Version 99.99.1 plus the description "testing field plus" is the canonical shape of a dependency-confusion / namespace-squat probe used to identify which organizations resolve an internal-named package from the public registry.

Malicious versions

2 flagged

99.99.199.99.2

Indicators of compromise (SHA-256)

0112dc4801bb261e86a2f68d5fd49b6c955bb4e82f872c72e61e49cc638ca91c

da1412d0ba61cadb9c28005b754fac70658159c6671eb92bb66bcc5ffa43d285

Frequently asked questions

No. field-plus on npm has been identified as a malicious package (versions 99.99.1, 99.99.2 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-006492IN-MAL-2026-006493

References

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection