Which versions of nativescript-swisspost-imagepicker are malicious?

The following npm versions of nativescript-swisspost-imagepicker are flagged malicious: 52.31.0. Treat any of these as compromised.

How do I remediate nativescript-swisspost-imagepicker if I installed it?

Remove nativescript-swisspost-imagepicker from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is nativescript-swisspost-imagepicker part of a known attack campaign?

Yes — nativescript-swisspost-imagepicker is associated with the IN-MAL-2026-006508, IN-MAL-2026-006507 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect nativescript-swisspost-imagepicker in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking nativescript-swisspost-imagepicker and packages like it before any post-install script runs.

Malicious package

nativescript-swisspost-imagepickernpm

Malicious code in nativescript-swisspost-imagepicker (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5792

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall nativescript-swisspost-imagepicker

What this malware does

package.json declares preinstall: node index.js. On npm install, index.js reads process.env.INIT_CWD (the installing project's working directory), takes its basename, and POSTs a JSON payload {pkg, timestamp, transport, project} to the hardcoded URL https://deepbounty.dd06-dev.fr/cb/d27071f6-8aa6-43b9-98be-0caf9803fba5. The package name nativescript-swisspost-imagepicker, the package description (Security PoC for Bug Bounty), and the comment Harmless dependency confusion PoC in index.js identify this as a dependency-confusion squat targeting an internal Swiss Post NativeScript namespace. On install, the installer's internal project name is silently leaked to a third-party endpoint, confirming the existence and naming of private packages and giving the operator of deepbounty.dd06-dev.fr a directory of organizations whose builds resolved this public package. Author self-labelling it as a bug-bounty PoC does not change the installer-side impact: unsolicited install-time outbound network carrying installer-side identifiers to an attacker-controlled host.

Malicious versions

1 flagged

52.31.0

Indicators of compromise (SHA-256)

305d997233ef6f66cb10c6e104f04006090b7a7097f7a2ba3641b791434403ce

b2271ce1525f722f302ee59b9de3270020e6d1aa84d74cc2972cb6ffa34d9a62

Frequently asked questions

No. nativescript-swisspost-imagepicker on npm has been identified as a malicious package (version 52.31.0 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-006508IN-MAL-2026-006507

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection