Which versions of firefly-utilities-helper are malicious?

The following npm versions of firefly-utilities-helper are flagged malicious: 99.9.1. Treat any of these as compromised.

How do I remediate firefly-utilities-helper if I installed it?

Remove firefly-utilities-helper from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is firefly-utilities-helper part of a known attack campaign?

Yes — firefly-utilities-helper is associated with the IN-MAL-2026-005261, IN-MAL-2026-005262 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect firefly-utilities-helper in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking firefly-utilities-helper and packages like it before any post-install script runs.

Malicious package

firefly-utilities-helpernpm

Malicious code in firefly-utilities-helper (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5517

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall firefly-utilities-helper

What this malware does

[email protected] ships an empty stub (index.js: module.exports = {};) with no description, author, or repository, but declares a single dependency ltidisafe as a direct tarball URL: https://ltidi.storage.googleapis.com/depenconf/ltidisafe-3.0.6.tgz. The bucket is on Google Cloud Storage, unrelated to any documented publisher, and the bucket/path naming (ltidi/depenconf) is consistent with a dependency-confusion staging area. URL-tarball dependencies bypass the npm registry's visibility, signature, and tooling — npm install will fetch the.tgz directly and execute any preinstall/install/postinstall lifecycle scripts it ships, with no hash pin, no signature, and no registry review. The wrapper contributes no functionality; its only effect on install is to smuggle the off-registry tarball into the installer's dependency tree. The high version number (99.9.1) and absent metadata are also consistent with a dependency-confusion lure intended to outrank an internal package of the same name.

The OpenSSF Package Analysis project identified 'firefly-utilities-helper' @ 99.9.1 (npm) as malicious.

It is considered malicious because:

The package communicates with a domain associated with malicious activity.

Malicious versions

1 flagged

99.9.1

Indicators of compromise (SHA-256)

783cf770777fff7cfffc2abec6cebd37f9e11f9e219c95e9879dda1222f9177c

cadcdda902675162dd9cfabd9d8133986723d4c956437633f36a5a07b776ef59

72e58b905aa1de5ac2326fa5797442959160fb1566547987fc82fa4746f2a5f0

Frequently asked questions

No. firefly-utilities-helper on npm has been identified as a malicious package (version 99.9.1 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-005261IN-MAL-2026-005262

References

npmjs.com

Credits

Amazon Inspector · finder
OpenSSF: Package Analysis · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection