Which versions of sorenson-webfonts are malicious?

The following npm versions of sorenson-webfonts are flagged malicious: 99.9.1. Treat any of these as compromised.

How do I remediate sorenson-webfonts if I installed it?

Remove sorenson-webfonts from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is sorenson-webfonts part of a known attack campaign?

Yes — sorenson-webfonts is associated with the IN-MAL-2026-005052, IN-MAL-2026-005051 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect sorenson-webfonts in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking sorenson-webfonts and packages like it before any post-install script runs.

Malicious package

sorenson-webfontsnpm

Malicious code in sorenson-webfonts (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5028

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall sorenson-webfonts

What this malware does

[email protected] is a hollow package: index.js is a 2-line stub ('use strict'; module.exports = {};), author/description fields are empty, and the version number 99.9.1 is the high-version pattern characteristic of dependency-confusion attempts to override an internal package. The package's only effect on install is to pull a single dependency, ltidisafe, directly from an HTTPS tarball URL on a Google Cloud Storage bucket (https://ltidi.storage.googleapis.com/depenconf/ltidisafe-2.8.2.tgz) — a non-registry, non-publisher location whose path segment depenconf suggests dependency-confusion staging. Resolving this dependency causes npm to fetch and execute the lifecycle scripts of an off-registry tarball whose contents are not pinned by integrity hash and not subject to registry review. The package name (sorenson-webfonts) bears no relation to the dependency name or to any stated purpose; there is no advertised webfont functionality in the shipped code. The combination of empty body, placeholder metadata, 99.9.x version, and an unrelated off-registry tarball pulled from a bucket path named after dependency confusion is the smuggling-vehicle shape rather than a legitimate library.

The OpenSSF Package Analysis project identified 'sorenson-webfonts' @ 99.9.1 (npm) as malicious.

It is considered malicious because:

The package communicates with a domain associated with malicious activity.

Malicious versions

1 flagged

99.9.1

Indicators of compromise (SHA-256)

ebdc541a49aeb340c75d6a96abee6465496dc22a04e82be2f03b85b2be1c3881

b8e32c18e4ba386704d92710d4231a5787072ce40c1e57d39b5b7ea5aaa56a64

d45b3e803fc04f697e067f5dfbc9a9c37878d1b7faed2ad4aea69dd9bed25c32

Frequently asked questions

No. sorenson-webfonts on npm has been identified as a malicious package (version 99.9.1 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-005052IN-MAL-2026-005051

References

npmjs.com

Credits

Amazon Inspector · finder
OpenSSF: Package Analysis · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection