Which versions of uisp-connector are malicious?

The following npm versions of uisp-connector are flagged malicious: 0.0.1-security-research, 99.0.0. Treat any of these as compromised.

How do I remediate uisp-connector if I installed it?

Remove uisp-connector from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is uisp-connector part of a known attack campaign?

Yes — uisp-connector is associated with the IN-MAL-2026-005246, IN-MAL-2026-005245 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect uisp-connector in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking uisp-connector and packages like it before any post-install script runs.

Malicious package

uisp-connectornpm

Malicious code in uisp-connector (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5288

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall uisp-connector

What this malware does

package.json declares preinstall: node index.js || true, causing index.js to run automatically on npm install. index.js issues a DNS resolution and HTTPS GET to a unique subdomain under oast.online (an Interactsh out-of-band collection server). The callback reveals the installer's resolver IP, egress IP, and the fact that an internal build system fetched a package matching this name — the canonical dependency-confusion exfiltration signal. The README self-identifies the package as security research, and the version string contains security-research, but an installer cannot distinguish authorized research from real exploitation: the network beacon and information disclosure happen identically in both cases, and whoever controls the Interactsh subdomain receives the data.

The OpenSSF Package Analysis project identified 'uisp-connector' @ 99.0.0 (npm) as malicious.

It is considered malicious because:

The package communicates with a domain associated with malicious activity.

Malicious versions

2 flagged

0.0.1-security-research99.0.0

Indicators of compromise (SHA-256)

7387d5655b4341cd75024769045f64a7a2e6315e948c9b2e9789c9704f48ecc7

9f2716a2af0ca7a9cfaa91ed2de5c46667d7630eae137db8c89a0e3911137115

351b32a85d024168970d1a2e8b7c9c5e6ff6f1d31191390f248a988d9ea6b9a9

Frequently asked questions

No. uisp-connector on npm has been identified as a malicious package (versions 0.0.1-security-research, 99.0.0 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-005246IN-MAL-2026-005245

References

npmjs.com

Credits

Amazon Inspector · finder
OpenSSF: Package Analysis · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection