Which versions of mazemap are malicious?

The following npm versions of mazemap are flagged malicious: 99.9.1. Treat any of these as compromised.

How do I remediate mazemap if I installed it?

Remove mazemap from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is mazemap part of a known attack campaign?

Yes — mazemap is associated with the IN-MAL-2026-005033, IN-MAL-2026-005034 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect mazemap in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking mazemap and packages like it before any post-install script runs.

Malicious package

mazemapnpm

Malicious code in mazemap (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5448

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall mazemap

What this malware does

package.json declares its only dependency ltidisafe as a direct HTTPS tarball URL (https://ltidi.storage.googleapis.com/depenconf/ltidisafe-3.0.2.tgz) hosted on a generic Google Cloud Storage bucket rather than resolved from the npm registry. On npm install mazemap, npm fetches and installs that arbitrary tarball, executing any lifecycle scripts (preinstall/install/postinstall) it contains — the tarball is bucket-owner-mutable and not subject to registry vetting. The package itself is a hollow lure: index.js is a 35-byte module.exports = {};, with no description, no author, ISC default license, and version 99.9.1 — a recognized dependency-confusion technique for overriding an internal package of the same name via a higher public version. The bucket path segment is literally depenconf. The combination of hollow main, inflated version, anonymous GCS-hosted dependency, and name collision with a real product (MazeMap) is a dependency-confusion / smuggling shape whose only on-install effect is to pull and execute attacker-controlled code from a non-registry source.

Malicious versions

1 flagged

99.9.1

Indicators of compromise (SHA-256)

751317dcad79cec866b8dc69cd60b39e3be8e1bcc45746039835b04ce32445b0

ecccd07042bcd8a96f5ad7d2cdba5ecd1b36fac689210c4bdd4575b2d9a92cb6

Frequently asked questions

No. mazemap on npm has been identified as a malicious package (version 99.9.1 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-005033IN-MAL-2026-005034

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection