Which versions of getui-library are malicious?

The following npm versions of getui-library are flagged malicious: 0.0.1. Treat any of these as compromised.

How do I remediate getui-library if I installed it?

Remove getui-library from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is getui-library part of a known attack campaign?

Yes — getui-library is associated with the IN-MAL-2026-005202, IN-MAL-2026-005201 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect getui-library in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking getui-library and packages like it before any post-install script runs.

Malicious package

getui-librarynpm

Malicious code in getui-library (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5474

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall getui-library

What this malware does

On npm install, postinstall.js issues an HTTPS GET to https://webhook.site/18dc4281-d366-438a-9186-76fbcd56ade5 with query parameters containing the installer's hostname (os.hostname()), username (os.userInfo()), platform (os.platform()), current working directory, CI environment indicators, package name/version, and a timestamp. Errors are silently swallowed to avoid breaking the install. The package's own description self-identifies as a typosquat placeholder for the @getd/* scoped namespace, so any developer who mistypes the intended package name is fingerprinted without consent. Regardless of the author's stated 'defensive security research' rationale, the technical behavior is unconsented installer-side identifier exfiltration to a third-party webhook collector triggered automatically by the postinstall lifecycle hook.

Malicious versions

1 flagged

0.0.1

Indicators of compromise (SHA-256)

25760a4672dd1edac426c0859125237d5a9a91268531665935249ea5bb4509a4

bf281a31a53827497d9a24ff0602f277b568f495a00c14603c3e9bf11a30327a

Frequently asked questions

No. getui-library on npm has been identified as a malicious package (version 0.0.1 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-005202IN-MAL-2026-005201

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection