Which versions of getd-ui-library are malicious?

The following npm versions of getd-ui-library are flagged malicious: 0.0.1. Treat any of these as compromised.

How do I remediate getd-ui-library if I installed it?

Remove getd-ui-library from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is getd-ui-library part of a known attack campaign?

Yes — getd-ui-library is associated with the IN-MAL-2026-005204, IN-MAL-2026-005203 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect getd-ui-library in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking getd-ui-library and packages like it before any post-install script runs.

Malicious package

getd-ui-librarynpm

Malicious code in getd-ui-library (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5471

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall getd-ui-library

What this malware does

On npm install, postinstall.js runs unconditionally (scripts.postinstall = 'node postinstall.js') and sends an HTTPS GET to a hardcoded webhook.site URL carrying the installer's hostname (os.hostname()), username (os.userInfo().username), platform (os.platform()), current working directory (process.cwd()), and CI-detection environment variables (CI, BUILD_BUILDID, AGENT_NAME) as query parameters. webhook.site is an anonymous request-capture service — whoever holds the UUID receives identifying telemetry from every machine that installs this package, useful for follow-on targeting (CI build agent fingerprinting, developer host enumeration). Errors from the request are swallowed silently. The package additionally occupies the unscoped name getd-ui-library to mimic the legitimate scoped @getd/ui-library package; any developer who mistypes the install name receives this beacon. The package's own README framing this as 'defensive squat' research does not change the installer-side impact: host/user/cwd identifiers leave the machine on every install with no opt-in.

Malicious versions

1 flagged

0.0.1

Indicators of compromise (SHA-256)

600dc0698dbd55835d4f128bc75ef8e4722db79a071a4bf4fc5dd6ffbe741448

fcdbf66757b102ed524f01c498adae819b02968aa455f57316f4e08af1fb9ea0

Frequently asked questions

No. getd-ui-library on npm has been identified as a malicious package (version 0.0.1 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-005204IN-MAL-2026-005203

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection