Which versions of loadninja-shared are malicious?

The following npm versions of loadninja-shared are flagged malicious: 9.9.99. Treat any of these as compromised.

How do I remediate loadninja-shared if I installed it?

Remove loadninja-shared from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is loadninja-shared part of a known attack campaign?

Yes — loadninja-shared is associated with the IN-MAL-2026-006370, IN-MAL-2026-006369 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect loadninja-shared in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking loadninja-shared and packages like it before any post-install script runs.

Malicious package

loadninja-sharednpm

Malicious code in loadninja-shared (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5744

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall loadninja-shared

What this malware does

[email protected] is a dependency-confusion package targeting an internal/private package namespace. package.json declares "postinstall": "node beacon.js", which fires automatically on npm install. beacon.js reads os.hostname() and transmits it — together with a nonce and the package name — to the attacker-controlled out-of-band domain tspeuj1fodn3cj8v30uck2fs4jaby1mq.oastify.com (Burp Collaborator infrastructure) over both a DNS lookup (dns.lookup(NONCE + '.' + host63 + '.' + HOST,...)) and an HTTPS POST. The version 9.9.99 is the canonical high-version trick used to win npm resolution against a legitimate internal package of the same name, capturing misrouted internal builds. Although a code comment labels the file a "benign PoC," the behavior is identical to a live dependency-confusion exploitation beacon: any installer that resolves this package leaks its host identifier to a third-party callback domain without consent.

The OpenSSF Package Analysis project identified 'loadninja-shared' @ 9.9.99 (npm) as malicious.

It is considered malicious because:

The package communicates with a domain associated with malicious activity.

Malicious versions

1 flagged

9.9.99

Indicators of compromise (SHA-256)

4d2bec7384a59c29b1f8dc5ca186674f7462dfc1c7768326606dcf855ba46fc7

dc01a627a5f67d1af201bfe6575973437cce899d9767312d44a40369dc16cc46

1ead72fc15074f049a104031ef60cad8af0f0680d1bf5ffee1492f500a3506d8

Frequently asked questions

No. loadninja-shared on npm has been identified as a malicious package (version 9.9.99 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-006370IN-MAL-2026-006369

References

npmjs.com

Credits

Amazon Inspector · finder
OpenSSF: Package Analysis · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection