Which versions of unicocheck-ios are malicious?

The following npm versions of unicocheck-ios are flagged malicious: 9.9.9. Treat any of these as compromised.

How do I remediate unicocheck-ios if I installed it?

Remove unicocheck-ios from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is unicocheck-ios part of a known attack campaign?

Yes — unicocheck-ios is associated with the IN-MAL-2026-006696 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect unicocheck-ios in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking unicocheck-ios and packages like it before any post-install script runs.

Malicious package

unicocheck-iosnpm

Malicious code in unicocheck-ios (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5831

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall unicocheck-ios

What this malware does

package.json declares a preinstall lifecycle script that runs curl against https://webhook.site/fe1246c2-ac04-4493-b223-fe34ba26b79f with query parameters carrying the installer's hostname, username ($(whoami)), current working directory, OS uname output, and HOME path. This fires automatically on npm install before any user code runs, leaking host identifiers and environment context to a third-party webhook capture endpoint controlled by the publisher. The package metadata (name unicocheck-ios, description Unico Check iOS SDK - biometric identity verification, version 9.9.9) impersonates the Unico vendor's iOS SDK and uses the canonical dependency-confusion sentinel version, indicating the package is positioned to win resolution against an internal package name and harvest data from build environments that mistakenly fetch it from the public registry.

Malicious versions

1 flagged

9.9.9

Indicators of compromise (SHA-256)

bafc91c569cf42c5f1ff68531a8d5238919f595368ffa90b7d4e5bcc74fe9788

Frequently asked questions

No. unicocheck-ios on npm has been identified as a malicious package (version 9.9.9 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-006696

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection