Which versions of ing-feat-itsme-oidc-authentication are malicious?

The following npm versions of ing-feat-itsme-oidc-authentication are flagged malicious: 99.99.99. Treat any of these as compromised.

How do I remediate ing-feat-itsme-oidc-authentication if I installed it?

Remove ing-feat-itsme-oidc-authentication from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is ing-feat-itsme-oidc-authentication part of a known attack campaign?

Yes — ing-feat-itsme-oidc-authentication is associated with the IN-MAL-2026-006490, IN-MAL-2026-006491 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect ing-feat-itsme-oidc-authentication in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking ing-feat-itsme-oidc-authentication and packages like it before any post-install script runs.

Malicious package

ing-feat-itsme-oidc-authenticationnpm

Malicious code in ing-feat-itsme-oidc-authentication (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5780

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall ing-feat-itsme-oidc-authentication

What this malware does

On npm install, package.json's preinstall hook executes poc.js, which collects os.hostname(), os.userInfo().username, process.cwd(), and process.platform, base64-encodes the values, and issues an HTTPS GET to https://d8ntv8plujrg25sttkvg31bowtxhm7ex7.oast.live/cb?id=<token>&d=<b64> — sending installer host, user, working directory, and platform to an external Burp Collaborator / interactsh subdomain without consent. The package is named to mimic an internal ING Bank namespace and pinned to version 99.99.99 to win resolution in dependency-confusion scenarios. Any developer or CI environment that resolves this name leaks identifying host data to an attacker-controlled collaborator endpoint. This matches the textbook dependency-confusion exfiltration pattern regardless of any authorization claim made by the author.

Malicious versions

1 flagged

99.99.99

Indicators of compromise (SHA-256)

175d0dba1f70bc84bcd4e29b57e0f7831248582614cd146af7d1ea6d1d057cd5

1a856d57687500c13a5582ce21b881745336d65d4aa952ca939a301876d65b23

Frequently asked questions

No. ing-feat-itsme-oidc-authentication on npm has been identified as a malicious package (version 99.99.99 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-006490IN-MAL-2026-006491

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection