Which versions of morningstar-design-system are malicious?

The following npm versions of morningstar-design-system are flagged malicious: 99.0.0, 99.0.1, 99.0.2. Treat any of these as compromised.

How do I remediate morningstar-design-system if I installed it?

Remove morningstar-design-system from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is morningstar-design-system part of a known attack campaign?

Yes — morningstar-design-system is associated with the IN-MAL-2026-005075, IN-MAL-2026-005066, IN-MAL-2026-005123 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect morningstar-design-system in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking morningstar-design-system and packages like it before any post-install script runs.

Malicious package

morningstar-design-systemnpm

Malicious code in morningstar-design-system (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5449

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall morningstar-design-system

What this malware does

On npm install, the package's preinstall lifecycle script runs wget against a hardcoded bare-IP HTTP endpoint, passing the output of id, pwd, hostname, and ip a as URL query parameters. This leaks the installing user's username/UID/GID, working directory, hostname, and full network interface configuration to an attacker-controlled host automatically, before any other code runs. The package name targets Morningstar's organizational namespace and is published at an absurd 99.0.1 version — the canonical dependency-confusion shape designed to override an internal package of the same name. README self-identifies as a dependency-confusion PoC. Whether labeled research or not, the published artifact actively exfiltrates installer data to a third-party IP and is unsafe to install in any environment.

Malicious versions

3 flagged

99.0.099.0.199.0.2

Indicators of compromise (SHA-256)

18591ac1a5cb5ca3d11e07bde38f230dccc530bb4614d45f9be1f547677a2c9e

b7c142e1dbd0c447de86c8f45555623eec0ca091eb202b435865aaa5688c76de

06a27dd57899084595fca32ae35722b70847a43879cb19a17b1d21f95fb6840a

Frequently asked questions

No. morningstar-design-system on npm has been identified as a malicious package (versions 99.0.0, 99.0.1, 99.0.2 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-005075IN-MAL-2026-005066IN-MAL-2026-005123

References

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection