Which versions of unifi-portal are malicious?

The following npm versions of unifi-portal are flagged malicious: 0.0.1-security-research, 99.0.0. Treat any of these as compromised.

How do I remediate unifi-portal if I installed it?

Remove unifi-portal from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is unifi-portal part of a known attack campaign?

Yes — unifi-portal is associated with the IN-MAL-2026-005160, IN-MAL-2026-005161, IN-MAL-2026-005242, IN-MAL-2026-005241 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect unifi-portal in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking unifi-portal and packages like it before any post-install script runs.

Malicious package

unifi-portalnpm

Malicious code in unifi-portal (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5289

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall unifi-portal

What this malware does

Package name unifi-portal shadows a presumed-private internal namespace and ships a preinstall: node index.js hook. On npm install, index.js (lines 4-5) performs a DNS resolve and HTTPS GET to d8hiivedv3ok8hrng5eghchyw4hwsioaz.oast.online — an interactsh/OAST collector controlled by a third party. The installer's source IP, resolver IP, hostname-derived subdomain label, and install timing are recorded by the collector without consent. The README self-describes as authorized security research against Ubiquiti's bug bounty, but the package is published to the public npm registry and any organization that resolves the name from public npm will be beaconed. The payload itself is a one-way phone-home (no env/credential scraping, no RCE), but the install-time outbound network to an attacker-shaped destination meets the supply-chain-attack threshold for a dependency-confusion squat.

The OpenSSF Package Analysis project identified 'unifi-portal' @ 99.0.0 (npm) as malicious.

It is considered malicious because:

The package communicates with a domain associated with malicious activity.

Malicious versions

2 flagged

0.0.1-security-research99.0.0

Indicators of compromise (SHA-256)

8ff224f10cd94268bd5347ea6898f0cb1c54d23b19a6eb02d8efa268a16e15e8

bcc805dd8053a750065e3593713b863e253ff746194f6d1fc6bcebeb73c0b43a

3096cda2c06da245674cddf9707355a8dc3727a4a456a838db8873502980ea0a

1839f77a47b8db30eaac2ba9aafc24c2a7b263cf075e816a383552260f1da735

9b53844d0cc8f26b013b7bbab0145f94b600118aeea09aceae5b6c29c91600fd

Frequently asked questions

No. unifi-portal on npm has been identified as a malicious package (versions 0.0.1-security-research, 99.0.0 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-005160IN-MAL-2026-005161IN-MAL-2026-005242IN-MAL-2026-005241

References

Credits

Amazon Inspector · finder
OpenSSF: Package Analysis · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection