Which versions of flow-lending-sdk are malicious?

The following npm versions of flow-lending-sdk are flagged malicious: 9.9.9. Treat any of these as compromised.

How do I remediate flow-lending-sdk if I installed it?

Remove flow-lending-sdk from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is flow-lending-sdk part of a known attack campaign?

Yes — flow-lending-sdk is associated with the IN-MAL-2026-006610, IN-MAL-2026-006609 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect flow-lending-sdk in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking flow-lending-sdk and packages like it before any post-install script runs.

Malicious package

flow-lending-sdknpm

Malicious code in flow-lending-sdk (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5804

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall flow-lending-sdk

What this malware does

[email protected] declares preinstall: node index.js || true in package.json, causing index.js to execute automatically on npm install. The script collects host identity (hostname, username, cwd) and iterates process.env, filtering for keys matching /key|seed|secret|token|private|mnemonic|password|blockfrost|redis|telegram|batcher/i — i.e., wallet seed phrases, private keys, API tokens, and infrastructure credentials. The collected JSON is HTTPS-POSTed to the bare IP 2.25.140.71:8443 at path /surflending/npm-confusion. The package ships no real SDK functionality (description is the placeholder flow-lending-sdk SDK, version is 9.9.9), and the exfil URL path explicitly names this as a dependency-confusion attack — almost certainly targeting developers of Cardano/Flow lending infrastructure who expect a private internal package of this name.

Malicious versions

1 flagged

9.9.9

Indicators of compromise (SHA-256)

0f8225230e2af0557fe785414906d6a2ee23d786468bcf5cfb72d75b4f0a7cfc

faf2e80d03da797a24237629d2c2bc87fa936f996c4de55bcd938283b1a617b9

Frequently asked questions

No. flow-lending-sdk on npm has been identified as a malicious package (version 9.9.9 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-006610IN-MAL-2026-006609

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection