Which versions of uipath-sugar-sell are malicious?

The following npm versions of uipath-sugar-sell are flagged malicious: 99.9.1. Treat any of these as compromised.

How do I remediate uipath-sugar-sell if I installed it?

Remove uipath-sugar-sell from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is uipath-sugar-sell part of a known attack campaign?

Yes — uipath-sugar-sell is associated with the IN-MAL-2026-005055, IN-MAL-2026-005056 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect uipath-sugar-sell in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking uipath-sugar-sell and packages like it before any post-install script runs.

Malicious package

uipath-sugar-sellnpm

Malicious code in uipath-sugar-sell (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5455

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall uipath-sugar-sell

What this malware does

Package [email protected] exhibits the canonical dependency-confusion shape: an internal-sounding name targeting a UiPath/SugarSell namespace, a 99.9.1 version overshoot designed to win semver resolution against any private registry, an empty index.js (module.exports = {}) so the package provides no actual functionality, and a single dependency ltidisafe declared as a direct URL https://ltidi.storage.googleapis.com/depenconf/ltidisafe-2.7.8.tgz. The path segment depenconf is explicit naming of the dependency-confusion technique. Installing this package causes npm to fetch and install the off-registry tarball from the Google Cloud Storage bucket, bypassing the public registry's audit surface; any lifecycle scripts in that tarball execute on the installer's machine at npm install time, and the tarball contents are mutable by whoever controls the bucket.

Malicious versions

1 flagged

99.9.1

Indicators of compromise (SHA-256)

70cd5d70323e92395a2ea8f61a4089f1cca94e4bb81a7cad1375ae47d3461e6f

ed7b735f00928b9124be0c9baa0e069e8ac61d303725b62584a17e31be8de57e

Frequently asked questions

No. uipath-sugar-sell on npm has been identified as a malicious package (version 99.9.1 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-005055IN-MAL-2026-005056

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection