How do I remediate uipathisfun if I installed it?

Remove uipathisfun from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound activity or persistence.

I already installed uipathisfun — how do I know if it already compromised me?

If uipathisfun was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is uipathisfun part of a known attack campaign?

Yes — uipathisfun is associated with the GHSA-9674-vwjj-qxjp campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find uipathisfun across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for uipathisfun (22 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging uipathisfun across your stack and pipelines.

Malicious package

uipathisfunnpm

Malicious code in uipathisfun (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-1983

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall uipathisfun

What this malware does

The package uipathisfun was found to contain malicious code.

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

The OpenSSF Package Analysis project identified 'uipathisfun' @ 1.0.11 (npm) as malicious.

It is considered malicious because:

The package communicates with a domain associated with malicious activity.
The package executes one or more commands associated with malicious behavior.

Malicious versions

22 flagged

1.0.31.0.51.0.71.0.81.0.91.0.111.0.121.0.131.0.141.0.151.0.161.0.171.0.201.0.211.0.221.0.231.0.241.0.281.0.331.0.351.0.361.0.41

Indicators of compromise (SHA-256)

ddedd6ed36d96572ae32c29194ebcf6d394bc9a7bddae64ccd0456cc5bce4482

8f181442d226f4c3477ecbf14a6611fed8ec4a092051efdff7652e9304dea39a

636c1bbc18113d1ee01b2610b8671e279ec8bc8390cf5bb4f6b2ce80d4344199

59dae4fd2d4c98b7c3b3e9c7d4a34bb9938ff9fb06759cc898b3839f61a71ad8

afa1f230f0ec74b54fd0bd3f451ab29041aa25e8502ec88cf82fa593519e08c5

044cfd81a8e53f5d62e04151080d4dc661176b351775cc26e162818a40271844

8ee91e69be2141fca3919a6d2704b3da1faff206c6f2d0b26aff4dd2b864c9f1

99423b594a722cf74b5f683e96de09a9f6535b11ef92831b2d5c8928de705ba0

ea28763be096b3ea62c24acdbc27f810aa37c76375eaf1e9a80b9ac2331acccd

1919380ca1f38d3b004dc6d987b4c7cb568220837dd8a5a24ee1c0ab7f255d02

8e5d14a41e23cf4601b26edfe22179b163c5cf5a70a8aeb04e02880ee902514e

21950b0dc8136c00b46aeb383945b325f7d0acf8c6e957a1b9d1013d6d9a384e

f68ed829f1cbda041340ebd648283ab5fd5ab2c539e09590a949b63f4550e0b4

0eeb127626ee61428b60735960c40b1d640fe43eebab65bc63b05463890e4e27

eac524ea19e868df0bf34dde6b3baaa18c1d380f0ca1082e2ad38f60b43cf673

24bc9625df7caee1bffbffde016ed3c4a36f0f84b7ca5dedf39c73b6e45ee6c6

f934ef8b76f5811327451db83e584fac7f411143115f1db52a16a322ebe8917f

5b0c9f2f606b72fc0f29fdfc190d50ca869dd02f1ed43ca174c0bf05cf73cd0f

e82cc837b9a92e9e9c5205317d1f7afa1f9d3401d9862c832e16ec4af4aaa1de

04f427c2841c59307e4605fcf6b13200d27506d68acdfc46a05b3392e749df84

cc2a2c20bc79161e0b5b6e75b2f5aebcc2c82240988b470448af14990ae05712

f19d40795f924651b8369c1ba626d31e9fd76e11946d147ffc40bfe1dde6c1be

5056a460c4d2ea98b9bc0090e9f7e81637ed9860f3b4befb1e8ab11df2248c73

4128340804464a33ae1b20bb39d652bf1c658b63490cd97d45df609dabfd8f3f

Detection & response playbook

Malicious package

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for uipathisfun (22 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging uipathisfun across your stack and pipelines.
If you installed it — respond
Remove uipathisfun from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound activity or persistence.
Did it already run?
If uipathisfun was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks uipathisfun before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. uipathisfun on npm has been identified as a malicious package (versions 1.0.3, 1.0.5, 1.0.7, 1.0.8, 1.0.9, 1.0.11, 1.0.12, 1.0.13, and 14 more flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

GHSA-9674-vwjj-qxjp

References

github.com

Credits

Amazon Inspector · finder
OpenSSF: Package Analysis · finder

Detect & block this

O3 blocks uipathisfun-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the malicious outbound activity and severs the channel.

Malware detection Runtime egress monitoring