Which versions of mds-webcomponents are malicious?

The following npm versions of mds-webcomponents are flagged malicious: 1.0.0, 1.0.2. Treat any of these as compromised.

How do I remediate mds-webcomponents if I installed it?

Remove mds-webcomponents from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is mds-webcomponents part of a known attack campaign?

Yes — mds-webcomponents is associated with the IN-MAL-2026-005297 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect mds-webcomponents in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking mds-webcomponents and packages like it before any post-install script runs.

Malicious package

mds-webcomponentsnpm

Malicious code in mds-webcomponents (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-919

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall mds-webcomponents

What this malware does

package.json declares preinstall: node index.js, which runs automatically on every npm install. index.js collects os.homedir(), os.hostname(), os.userInfo().username, dns.getServers(), the package name, __dirname, and the full package.json contents, then HTTPS POSTs them as a querystring msg=... parameter to 2mpf1804g4gnfnvuqqx3om0cw32vqlea.oastify.com — a Burp Collaborator (oastify.com) subdomain used as an out-of-band recon/exfiltration channel. The package provides no legitimate functionality; its only on-install effect is to leak installer host identity and project metadata to an attacker-controlled endpoint. This is the canonical dependency-confusion / red-team recon beacon shape.

The OpenSSF Package Analysis project identified 'mds-webcomponents' @ 1.0.0 (npm) as malicious.

It is considered malicious because:

The package communicates with a domain associated with malicious activity.

Malicious versions

2 flagged

1.0.01.0.2

Indicators of compromise (SHA-256)

d35cd4fc7e553141b386ee1a6a68e45c41d5ae73d8e013beafd90f6dfc4b1afd

7f6007f508051582581cb5f52ff3494c5da6bb9ad1b6725fa6801b5c1b8e0825

4b33015300fa18b6b3d2c2f1c0af0e77cbd9fa96c7af7befbe61a5422165824e

Frequently asked questions

No. mds-webcomponents on npm has been identified as a malicious package (versions 1.0.0, 1.0.2 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-005297

References

npmjs.com

Credits

Amazon Inspector · finder
OpenSSF: Package Analysis · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection