What does the ldpbootstrap-jquery malware do?

ldpbootstrap-jquery ships and executes an obfuscated Windows PowerShell payload as part of its documented usage. The package contains dist/ps1-stub.enc.hex, an 8KB opaque hex-encoded blob, and dist/bootstrap.js decrypts it with a hardcoded XOR key (f633ffeeffbbc09da9f2b477e1183294), writes the decrypted PS1 to %LOCALAPPDATA%\Landpage\ , and invokes it via `powershell.exe -NoProfile -ExecutionPolicy RemoteSigned -WindowStyle Hidden -File ` — explicitly bypassing execution policy and hiding the window. bootstrap.js also fetches a session-specific PS1 over plain HTTP from a consumer-configured apiBase (README example: http://192.168.1.143:3001) using MSXML2.ServerXMLHTTP with

Which versions of ldpbootstrap-jquery are malicious?

The following npm versions of ldpbootstrap-jquery are flagged malicious: 1.0.9, 1.0.10, 1.0.11, 1.0.13, 1.0.15. Treat any of these as compromised.

How do I remediate ldpbootstrap-jquery if I installed it?

Remove ldpbootstrap-jquery from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Can O3 Security detect ldpbootstrap-jquery in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking ldpbootstrap-jquery and packages like it before any post-install script runs.

Malicious package

ldpbootstrap-jquerynpm

Malicious code in ldpbootstrap-jquery (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5790

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall ldpbootstrap-jquery

What this malware does

ldpbootstrap-jquery ships and executes an obfuscated Windows PowerShell payload as part of its documented usage. The package contains dist/ps1-stub.enc.hex, an 8KB opaque hex-encoded blob, and dist/bootstrap.js decrypts it with a hardcoded XOR key (f633ffeeffbbc09da9f2b477e1183294), writes the decrypted PS1 to %LOCALAPPDATA%\Landpage<ps1FileName>, and invokes it via powershell.exe -NoProfile -ExecutionPolicy RemoteSigned -WindowStyle Hidden -File <path> — explicitly bypassing execution policy and hiding the window. bootstrap.js also fetches a session-specific PS1 over plain HTTP from a consumer-configured apiBase (README example: http://192.168.1.143:3001) using MSXML2.ServerXMLHTTP with session/fingerprint headers, then writes and executes it via the same hidden PowerShell flow. The README explicitly documents AV evasion as a design goal, referencing docs/HTA-AV-HYGIENE.md and describing per-session XOR key derivation in an HTA context for MSI delivery. The shipped encrypted blob, hardcoded decryption key, hidden-window/policy-bypass PowerShell execution, and author-documented anti-virus evasion together constitute malware-distribution infrastructure. Although the harmful flow is invoked through the package's API rather than auto-running on npm install or require(), any developer using the package as documented will execute attacker-shaped, AV-evading PowerShell on Windows endpoints.

Malicious versions

5 flagged

1.0.91.0.101.0.111.0.131.0.15

Indicators of compromise (SHA-256)

081cd4ae661f00aaa38c17590d935425f436c732eecba4af50d227c8f4879554

0fd0758eaec7ae489cbbaf58b250db2efc14607c06c2774f2fe7bf64782769fc

67a1d48a2560b4d157c03265d3445ead2ecff56c91769c4fc45e5d8ec06affe8

6f7b8473f32885d965ba7f36c7dd2dca9789a87db43949e35988d75f1926d299

71957c93a274979ca6de0d40b51e8bd32d85592e6a77debf32439c936632cd26

bcab02ae44d1604b6fa9e80156a8c5882f7a4809470ff59eb6d14db4bf28f91f

e1bb4fb444cd0d88009ae97fe127905df0eb1b09436f89e2d4625cbabaab85b4

f10a9875281cbae30c18a5f6a8bcdfd9b4be989a35b7122aff4d7653ca47a20e

0cfe4fa0ac12c2797913fee881e32d32bd0ea715222b3ae9bdfd1fb4bd538139

Frequently asked questions

No. ldpbootstrap-jquery on npm has been identified as a malicious package (versions 1.0.9, 1.0.10, 1.0.11, 1.0.13, 1.0.15 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-006504IN-MAL-2026-006497IN-MAL-2026-006499IN-MAL-2026-006496IN-MAL-2026-006502IN-MAL-2026-006498IN-MAL-2026-006503IN-MAL-2026-006501IN-MAL-2026-006500

References

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection