Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
Malicious package

un112npm

Malicious code in un112 (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-459
Immediate action
Remove the package, then rotate any secrets the build/runtime could reach.
npm uninstall un112

What this malware does

The package un112 was found to contain malicious code.

The OpenSSF Package Analysis project identified 'un112' @ 1.0.18 (npm) as malicious.

It is considered malicious because:

  • The package communicates with a domain associated with malicious activity.

  • The package executes one or more commands associated with malicious behavior.

Malicious versions

11 flagged
1.0.21.0.31.0.51.0.181.0.241.0.281.0.291.0.311.0.321.0.361.0.38

Indicators of compromise (SHA-256)

0d1b233e9feeaa79bb424b05fb0a39efdae797415d415bc75e9567fd053a184d
de4f2098967c4c1c29239308be090b1220a5a10885f19b72915d9b94e727b4d6
6d80f3419e72882c2d5a2038684dd7b3b67612745a4f53a7c848d18a2025a185
cdd54832c7f264a3a18301f19d464ca271573a29173fe997e49e6c55b0ae1f87
74ab28da85fdb961668dc8fb0dc9b59ff55f60f2080e89923d78829b60ed1767
8210776b11cfa28a05bb7b7d409975b8a0096cc7dc8ad0c00166b6c6e775693d
897d49fb7ce4357ac242add413e4b7625b625e40ae915da7413b54d7939ac80c
915a1220bd2a86659d450790a3c26e44e6bcab3f197ec6772ccf762bb8b4296c
7607c1e2ae4e1e93a503caee44a0aa502b8502a54a0e6cd52aee82461c10a53f
c231ba8cd4202c6577c503556079fffdac31fe3345fcdc07a84c21ba259b5cac
b418440c4bb5a371f41df33488b81f4dc1f7e029364d18a5250e17f5c8bf9161
c1521874d670863316d54ec7213c067617cac71476025f1e398ca9ea01fe1f71

Detection & response playbook

Malicious package

  1. Find it

    Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for un112 (11 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging un112 across your stack and pipelines.

  2. If you installed it — respond

    Remove un112 from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound activity or persistence.

  3. Did it already run?

    If un112 was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

  4. How O3 protects you

    O3 blocks un112 before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. un112 on npm has been identified as a malicious package (versions 1.0.2, 1.0.3, 1.0.5, 1.0.18, 1.0.24, 1.0.28, 1.0.29, 1.0.31, and 3 more flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Credits

  • Amazon Inspector · finder
  • OpenSSF: Package Analysis · finder

Detect & block this

O3 blocks un112-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the malicious outbound activity and severs the channel.

Malware detection Runtime egress monitoring
un112 (npm) malicious package — MAL-2026-459 | O3 Security