Which versions of page-info-service are malicious?

The following npm versions of page-info-service are flagged malicious: 99.9.1. Treat any of these as compromised.

How do I remediate page-info-service if I installed it?

Remove page-info-service from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is page-info-service part of a known attack campaign?

Yes — page-info-service is associated with the IN-MAL-2026-005039, IN-MAL-2026-005040 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect page-info-service in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking page-info-service and packages like it before any post-install script runs.

Malicious package

page-info-servicenpm

Malicious code in page-info-service (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5158

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall page-info-service

What this malware does

[email protected] ships an empty stub (index.js is module.exports = {}) with placeholder author/description metadata and an unusually high 99.9.1 version designed to win semver resolution against an internal package name. Its sole effect is a dependencies entry that pulls ltidisafe from an external HTTPS tarball at https://ltidi.storage.googleapis.com/depenconf/ltidisafe-2.9.3.tgz — not from the npm registry. On npm install, npm fetches and installs that tarball and runs whatever lifecycle scripts and code it contains. The tarball is hosted on a third-party Google Cloud Storage bucket under a path (depenconf/) that explicitly suggests dependency-confusion tooling; its contents are mutable by the bucket owner, there is no integrity hash, no version pinning to a trusted registry, and no relation to any stated package purpose. This matches the canonical dependency-confusion off-registry-dropper pattern.

The OpenSSF Package Analysis project identified 'page-info-service' @ 99.9.1 (npm) as malicious.

It is considered malicious because:

The package communicates with a domain associated with malicious activity.

Malicious versions

1 flagged

99.9.1

Indicators of compromise (SHA-256)

d4a2106922e9e3851658667cacaa2c2818cdb56cd0c4df6778c0cb7fbed2338e

9314c597c5023f198b20ebe47d09cf929d8e252e27f60928a3ab73dbe77de8cd

bdbe4cc5072cdaa733c65ed059bbb9a1b51dc29b51cfc3b2ce1fa7ab9ea662bd

Frequently asked questions

No. page-info-service on npm has been identified as a malicious package (version 99.9.1 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-005039IN-MAL-2026-005040

References

npmjs.com

Credits

Amazon Inspector · finder
OpenSSF: Package Analysis · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection