Which versions of kraken-ui are malicious?

The following npm versions of kraken-ui are flagged malicious: 999.0.0. Treat any of these as compromised.

How do I remediate kraken-ui if I installed it?

Remove kraken-ui from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is kraken-ui part of a known attack campaign?

Yes — kraken-ui is associated with the IN-MAL-2026-004965, IN-MAL-2026-004966 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect kraken-ui in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking kraken-ui and packages like it before any post-install script runs.

Malicious package

kraken-uinpm

Malicious code in kraken-ui (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5399

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall kraken-ui

What this malware does

On require/load, index.js imports os, dns, https, querystring, and the local package.json, then collects os.hostname(), os.userInfo().username, os.homedir(), __dirname (install path), dns.getServers(), and the full package.json contents, and HTTPS POSTs the JSON payload to nlc574f24tq03k423v3jr7hllcr3ft3i.oastify.com (a Burp Collaborator OAST subdomain). The version 999.0.0 plus self-described 'dependency confusion proof of concept' is the canonical dependency-confusion attack shape: it is published to the public registry to override an internal package of the same name. Any installer or build system whose resolver picks up this version leaks identifying host/user info and internal DNS topology to an attacker-controlled out-of-band server. Behavior fires automatically when the module's main entry is loaded.

Malicious versions

1 flagged

999.0.0

Indicators of compromise (SHA-256)

168f5bafda658807ea431a8cb06a1e3006d639d17b7f0c97d3d63e34f49129d5

88479e71edbc32519f47f7b8dc147285016c90e64650c763a784fee83f022c95

Frequently asked questions

No. kraken-ui on npm has been identified as a malicious package (version 999.0.0 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-004965IN-MAL-2026-004966

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection