How do I remediate sensivity if I installed it?

Remove sensivity from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Can O3 Security detect sensivity in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking sensivity and packages like it before any post-install script runs.

Malicious package

sensivitynpm

Malicious code in sensivity (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5558

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall sensivity

What this malware does

On require()/import (package main is launcher.js with no install hook), the package performs the following without consent: (1) Persistence — runs PowerShell to write an HKCU\Software\Microsoft\Windows\CurrentVersion\Run entry named 'OneDriveUpdate' that points at a bundled OneDrive.Standalone.Updater.vbs which silently launches node launcher.js on every login (WScript.Shell.Run with windowStyle=0). The name impersonates the Microsoft OneDrive updater. (2) Self-relaunching hidden daemon — kills any process listening on port 3000, then spawns a detached supervisor copy of itself (detached: true, stdio: 'ignore', windowsHide: true) which respawns a worker forever; the original process exits, leaving a hidden background daemon. (3) Process masquerade — both supervisor and worker set process.title = 'Runtime Broker' to impersonate the legitimate Windows RuntimeBroker.exe in Task Manager. (4) Browser surveillance — every 3 seconds, generates a PowerShell script that uses System.Windows.Automation to enumerate Edit controls in Chrome/Edge/Opera/Opera GX/Brave windows and reads their address-bar Value/Name (currently scanning for YouTube video id wJWta2lO0Lw, but the same code path reads any URL the user is visiting). (5) Obfuscated payload — launcher.js eval()s a 162KB obfuscator.io-style server.obf.js that uses RC4-decoded string arrays and dispatcher functions to hide its behavior from inspection. (6) HWID fingerprint exfiltration — the obfuscated payload computes SHA-256 over HKLM MachineGuid | hostname | volume serial and POSTs {key, hwid, nonce, app, version} to a hardcoded license endpoint embedded in the obfuscated strings. (7) Undisclosed native payload — bundles sens.node, a 6.6MB Windows PE containing strings 'Freecam', 'Teleport', 'spawnVehicle', 'Waypoint', '__licenseAccepted' — i.e., a GTA V / FiveM game cheat module — while package.json describes the package only as 'Sensivity Control Panel'. Any developer who installs sensivity from npm gets persistent hidden autorun, a masqueraded background daemon, browser-URL surveillance, hardware-fingerprint exfiltration, and a game-cheat binary on their Windows machine.

Malicious versions

70 flagged

2.5.02.5.12.5.22.5.32.5.42.5.52.5.62.5.72.5.82.5.92.5.102.5.112.5.122.5.132.5.142.5.152.5.162.5.172.5.182.5.192.5.202.5.212.5.222.5.232.5.242.5.252.5.262.5.272.5.282.5.292.5.302.5.312.5.322.5.332.5.342.5.352.5.362.5.372.5.382.5.392.5.402.5.412.5.422.5.432.5.442.5.452.5.462.5.472.5.482.5.492.5.502.5.512.5.522.5.532.5.542.5.552.5.562.5.572.5.582.5.592.5.602.5.612.5.622.5.632.5.642.5.652.5.662.5.672.5.682.5.69

Indicators of compromise (SHA-256)

02215a5ed6f6a522ee5d84cf07a9fc34f473872527d1841d53a02700fc4f63eb

1178c633b373d071c39bc1ff60fa1456cfdc51e6d79862b0bf96202f9e97f7e3

1a604eb1b7c6c1a662402ef73b53f10e84ce251782e20919bbe77111647e32a8

a0946cc0dd42ab244736e739dd221f16b2397085339997f4e13feb34c2f9d88e

a8cb63439b4c57ac191c1a1660629bcee25318c22e7c10c643ff101409cd9acf

abf2d53e5f7926a4d41faea69ccfe1a51ebea96ea136e26423c617ce73d6da14

cb1ee370a1241d30e7bda3fea4d543fb3d3fc00ef89d32a4bfd4924e5acce0b6

f6aeb116ceaa3a97ba1312a9223e906d0c105db348fa90792913eea8e3e22141

0ee3d86cd76e4e0a3527de1ecb9e84918e4e6e167da5fd4f67c3aa0e4991fd17

30ca8bed7cfa07354b785fa62d79da21cc7fd5ad4a113f58664e4758bf36f30d

32972873bf24636a449b295822e92eb12b045e348f1fadf3634f74858eaa0c07

6907aea227a2d8728f3048fc72843eee7438f1204f7b4d65ece6ea56879a0fda

d6e891812c9ee055f54b52b7c40c0397387fd0c4537cde18becd70ed1a64047f

eaaef838d47cd3bd95307a17a61c10ee1689d477fbf7904c0d2431de754c22c3

68433178cf9a1fec4797366c4afc9d48ecc77c514ef93209253dd749befe811b

8dbc14086aabc88cbe8fda63df4594b3af6c16a7b92f48f79b1870a8c573702d

ef8c17866ac1aee489e207f2a4cdb2eefbd17336edd0398b34c40ee5c69a8ef5

55e0e161eaa74435ddd742764f2b50f49d4abfc127bb6c540c186ed9067ed6c5

71500352c7a0404ebbaa16411d030ca21354158c01253cbf01382cb5b19bb0b2

7a0adc123a5d9fe0f567228361cdf7fed446237e94919efb7a34b48043fb200b

e61ad4906e34fb2fd5ec55d784c2ba8bce7e97688a4e54b132403bd06bafcbb5

ffc7efd5a29f55389042b2aa05f24f3d6c25fb006e5fbcc7a17a2ad7fa8610f0

0953f1da59ba8c8c617e7c09960241653e1c766f7a9c99e4b338d9c315655302

1634e9d8ba917624a6849eb3fa8d72adbca90056d75b83f1fcc03d8a837539de

814f03f06698a9d199afcc836bb3db7ba2074bddabae77ae5f87fed4426703a3

9b9d0206882b4dd66b75851dc40c2c77cdfaf7200fd82daade0ec05b41231531

d51189961b285aaf34cf2628c3550a0281a2c60caea509ae7aa0b6e261c81340

7191cca927ae0425ad0533290f7f6eb9d0985d9a4d2383cec08be9caa4adc336

b71d466f163e313e4a86a6f52d59041086877ffab65c1dc29718ed77d8d1249a

bc3f3810cafb22f677350e9bd241d9199c87a95edfdbfa7776fdf1b9d95b12f7

c22db319dd81da164f1bacedd2c1f324d0e3507da194d8d5685e4c333e96d7df

d450a9ca29f56e3633690b306f87e5faf5f69a49ad3dcc7c7cc29871be12ebab

36cfb437f27c5ddb03d6cbb79910935e271ede63ee8800b4303eb9101da4827f

4e9b263003c8854c7cba2e2be2d6ec58f6daf48e354ffdf000d8ce010873df13

7260434c0c0b6348c67d28b3d08abd8e9f5fff518bde9418662f3aad3e23b544

c3bd01a5cfc5bcca989c0fb6a7927836563bff8292a2925e4dde5288e97c14a3

c60265192835c96f55d417bd6e9d94cc74eef4e85306c83c4fc1eb53cc2b75bb

d4676b07d198a1420a3d825146794508c99eb8ca4e39e7023345f30f2c25a8f0

f85e08de4bae3abf778d5ea243b2f637fbecc45d619632235d393560c1914fcd

60c89682643cb0dced3011ddaee7a3f3ab12cc20899aab623c45f987ea6795b5

618a67797e59ad13e9f16efa25072c08cd6d244666d2e2bebb7ace965cf3bb4e

68c0db10302a26b961862f1bb2a27639d8b9c0647541abc035b9b1e261dbdb95

acee1f4e1c0c4d1203c8416ee86421cf7e5ab30bc91e5f1a280861d9304df85d

c0e076ffa782ef1c0b646f2c06ca577174be52200a26399643b180ebb6ae94e7

c639e5d9e176113cd97f1ce1365e2c2e2282cbc7db517e24695fde649f99f3db

ca72c94d0cdb4cc1f17a0a20d683ae013fb593c4364d8c58c3d2e79287bf25b5

daf73c0482dfaff7e2845f6cd01c3309284b09ee5cbd2227eb4a9e7f998b15fa

62f923084a4db24a2c280b646c7f412ba83da683f0acf72082de391cf8a0186b

669fa24845afb6c28afd4e6a8dd0d76d4636c8836385e43f9fd2d65cc00715c0

a5330898943f21beeaa2680194dad5b31eabade3318c2fafbcf48062fb16beca

a945a05d832b3847424d8ed0392b0f0069bf3231c70976c8f6fb085f72755d7d

dc60ba7b459a55106b17b901aa3b5c3f0a7df97e01a8fc4d69f0bcd910407350

e65cf8172809600b46e18c5f50d1f7d9e1b7e57b9a69f9ee014e3ce3dbb2939a

f55aef8b5ff9956db2270536896e3a5667dda50d14451549930b3f35329c818f

260db5aafa401d0ffec2b3eb111fd86de4e23cefa0c822a549157ad913cce6ca

7716c6ecbde3967b55595cb65f09602aa88f4622dd7ce1d2631060eebbd00455

a4edd8f4400d56699b7377bfb64215980181f512c89eb016a8b99b06223b217f

da563446293e81640f1a1ec56050633e5a57bb6b65d3e7fa4af424522535e0ab

f1644e51cdc8f72e47193f67fcbbfee59306fed471811509f94f9334ef20fc40

fe49ef8d77c28ea288d8f929a9c1c75991e018ca1eebf762b8ff66bdfec9fe28

057c12c9ab4d56dce4a956cfba00a37740033c66ebc160e7782327f2fb3db2fc

8f5759fdaf51e10976fe1c68e6f296f83b120bb868409b21fb91e673393e8d78

a3772f98ae9a785056de6c337d1943c5981cffc52064f423f7421250dc873507

b551f4357e304f3ff7c68e590c94da50f89ae1880eeecfd5e8b77c70caf7259e

d011626d5de7ade6ec8a16e4773986cfa95c80fbdd74458fcffb6937c6ab783b

ef24b7e803366e983e02e4476181dd52f2dbbf2d2f41323a9e75a8edc77adcc1

011eff9ef7121419aaa8720bf959bbeaf18db1ae132c5bcb5ddb9e56c721b9e5

1c95d9ea437a62c4d4da7d32daac9f85c4962ac4382e011e05955e3e76b24590

218a31f69bb9eac85759bc4e586fc17b12b588e2a1f8fcf1f614a4498d573247

a21e3c4c77cfede1eef362587ce160de4c981da7e93c1708fb75d9a4f9b9ce7e

Frequently asked questions

No. sensivity on npm has been identified as a malicious package (versions 2.5.0, 2.5.1, 2.5.2, 2.5.3, 2.5.4, 2.5.5, 2.5.6, 2.5.7, and 62 more flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-005428IN-MAL-2026-005433IN-MAL-2026-005426IN-MAL-2026-005439IN-MAL-2026-005429IN-MAL-2026-005424IN-MAL-2026-005427IN-MAL-2026-005423IN-MAL-2026-005438IN-MAL-2026-005434IN-MAL-2026-005442IN-MAL-2026-005425IN-MAL-2026-005421IN-MAL-2026-005436IN-MAL-2026-005422IN-MAL-2026-005431IN-MAL-2026-005432IN-MAL-2026-005437IN-MAL-2026-005441IN-MAL-2026-005430IN-MAL-2026-005435IN-MAL-2026-005440IN-MAL-2026-005511IN-MAL-2026-005502IN-MAL-2026-005504IN-MAL-2026-005526IN-MAL-2026-005490IN-MAL-2026-005509IN-MAL-2026-005514IN-MAL-2026-005520IN-MAL-2026-005497IN-MAL-2026-005516IN-MAL-2026-005489IN-MAL-2026-005501IN-MAL-2026-005513IN-MAL-2026-005517IN-MAL-2026-005528IN-MAL-2026-005484IN-MAL-2026-005482IN-MAL-2026-005525IN-MAL-2026-005512IN-MAL-2026-005496IN-MAL-2026-005508IN-MAL-2026-005485IN-MAL-2026-005523IN-MAL-2026-005493IN-MAL-2026-005499IN-MAL-2026-005505IN-MAL-2026-005510IN-MAL-2026-005527IN-MAL-2026-005492IN-MAL-2026-005494IN-MAL-2026-005522IN-MAL-2026-005498IN-MAL-2026-005519IN-MAL-2026-005483IN-MAL-2026-005515IN-MAL-2026-005487IN-MAL-2026-005495IN-MAL-2026-005491IN-MAL-2026-005529IN-MAL-2026-005486IN-MAL-2026-005506IN-MAL-2026-005507IN-MAL-2026-005521IN-MAL-2026-005500IN-MAL-2026-005503IN-MAL-2026-005524IN-MAL-2026-005488IN-MAL-2026-005518

References

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection