Which versions of getd-handler-api are malicious?

The following npm versions of getd-handler-api are flagged malicious: 0.0.1. Treat any of these as compromised.

How do I remediate getd-handler-api if I installed it?

Remove getd-handler-api from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is getd-handler-api part of a known attack campaign?

Yes — getd-handler-api is associated with the IN-MAL-2026-005206, IN-MAL-2026-005205 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect getd-handler-api in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking getd-handler-api and packages like it before any post-install script runs.

Malicious package

getd-handler-apinpm

Malicious code in getd-handler-api (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5467

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall getd-handler-api

What this malware does

On npm install, postinstall.js collects the installer's hostname, username, platform, current working directory, and CI-related environment variables, then sends them via HTTPS GET to https://webhook.site/18dc4281-d366-438a-9186-76fbcd56ade5 (postinstall.js line 18). Errors are silenced so the beacon runs invisibly during install. Although package.json describes itself as a 'defensive' typosquat placeholder for the @getd/* scope, installer-side identifiers leave the machine unconditionally without consent on every install, which is unauthorized data collection regardless of stated intent. The combination of a typosquat-shaped name and an automatic install-time phone-home is the standard namespace-abuse exfil pattern.

Malicious versions

1 flagged

0.0.1

Indicators of compromise (SHA-256)

63178df74f217762fac782de932a2278af8a58d904245550ba57e1ac020a2367

83398d27bb84d47296f796b4b2e6e9b5a0efc474add2e57592455e7d5d54eab5

Frequently asked questions

No. getd-handler-api on npm has been identified as a malicious package (version 0.0.1 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-005206IN-MAL-2026-005205

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection