Which versions of ts-webplug are malicious?

The following npm versions of ts-webplug are flagged malicious: 3.0.5. Treat any of these as compromised.

How do I remediate ts-webplug if I installed it?

Remove ts-webplug from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is ts-webplug part of a known attack campaign?

Yes — ts-webplug is associated with the IN-MAL-2026-006883 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect ts-webplug in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking ts-webplug and packages like it before any post-install script runs.

Malicious package

ts-webplugnpm

Malicious code in ts-webplug (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5994

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall ts-webplug

What this malware does

[email protected] impersonates the pino logger (exports named pino, lib/ tree mirroring pino's file layout, keywords fast/logger/stream/json) but its main export wires consumers into a remote-code-execution dropper. index.js's middleware export spawns a detached node lib/caller.js (spawn('node', [...], { detached: true, stdio: 'ignore' }) followed by child.unref()) so the child survives the parent. caller.js then fetches JavaScript from https://jsonkeeper.com/b/U2BTS (an anonymous, mutable JSON-paste host) and executes the response's cookie field with new Function.constructor('require', s); handler(require), granting the remote payload full Node require() access on the installer's machine. Decoy process.env strings (DEV_API_KEY etc.) base64-decode to additional jsonkeeper.com URLs. The harm fires whenever a consumer imports the package and invokes the default/pino-named middleware — a path developers reach immediately when they install what they believe is a pino-shaped logger.

Malicious versions

1 flagged

3.0.5

Indicators of compromise (SHA-256)

2a205cee3f545c9dd5083055f8dad50c5e131603bf50d37bbb3f7ef5a744d88f

Frequently asked questions

No. ts-webplug on npm has been identified as a malicious package (version 3.0.5 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-006883

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection