Which versions of unico-check are malicious?

The following npm versions of unico-check are flagged malicious: 9.9.9. Treat any of these as compromised.

How do I remediate unico-check if I installed it?

Remove unico-check from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is unico-check part of a known attack campaign?

Yes — unico-check is associated with the IN-MAL-2026-006698 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect unico-check in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking unico-check and packages like it before any post-install script runs.

Malicious package

unico-checknpm

Malicious code in unico-check (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5830

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall unico-check

What this malware does

package.json declares a preinstall lifecycle hook that runs curl against https://webhook.site/fe1246c2-ac04-4493-b223-fe34ba26b79f, passing the installer's hostname, current user, working directory, full uname -a output, and $HOME as query parameters. The beacon fires automatically on npm install with no user interaction. The package ships no source files, declares no main entry, and uses the implausible version 9.9.9 — the canonical shape of a dependency-confusion / typosquat reconnaissance package targeting builds that may resolve a private unico-check from the public registry. The package's only effect on installation is to leak host identifiers to an anonymous, attacker-controlled webhook.site bin, staging follow-on compromise.

Malicious versions

1 flagged

9.9.9

Indicators of compromise (SHA-256)

1945d7aee54e60800e30f150e6db8042fa3aee9ea99f6b5a4ab14e2a1c26571d

Frequently asked questions

No. unico-check on npm has been identified as a malicious package (version 9.9.9 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-006698

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection