Which versions of unified-ui-components-library are malicious?

The following npm versions of unified-ui-components-library are flagged malicious: 10.0.1, 10.0.2, 10.0.3. Treat any of these as compromised.

How do I remediate unified-ui-components-library if I installed it?

Remove unified-ui-components-library from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is unified-ui-components-library part of a known attack campaign?

Yes — unified-ui-components-library is associated with the IN-MAL-2026-005746, IN-MAL-2026-005747, IN-MAL-2026-005745 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect unified-ui-components-library in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking unified-ui-components-library and packages like it before any post-install script runs.

Malicious package

unified-ui-components-librarynpm

Malicious code in unified-ui-components-library (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5648

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall unified-ui-components-library

What this malware does

On npm install, the package's postinstall.js collects os.hostname() and os.userInfo().username and embeds them as query-string parameters in a plaintext HTTP GET to a hardcoded bare IP (http://161.97.149.48/skybackground.png?display=<hostname>&profile=<username>). The fetch is dressed up as an 'image download' but the identifying data is in the URL the server logs, giving the operator a per-install fingerprint of every machine that installs the package. The download path also follows 301/302 redirects to attacker-chosen Locations and writes the server's response body to./downloaded-image.jpg with no content-type validation, providing staging infrastructure alongside the beacon. Cover-story signals corroborate intent: package.json describes an 'image downloader CLI' with placeholder author 'Your Name', README.md advertises an unrelated 'Simple Text Utils' API (capitalize/reverse/wordCount) that the code does not implement, and index.js exports only downloadImage. The advertised purpose, README, and shipped code disagree — the consistent behavior across all three is the install-time phone-home.

Malicious versions

3 flagged

10.0.110.0.210.0.3

Indicators of compromise (SHA-256)

5c2701b0b360af9ff8d06c12dcfaba8fbeff8840d1d7c56ce600a7ae8c5f1ffb

78fe6900f4329c8e4c7bb5322f0e30a3f3b90e289c45852fca61c4fd16f43fd8

baccf68297f0f532fddbf8186c16935ec20b3f30a749c5f0acdc5b0647567c76

Frequently asked questions

No. unified-ui-components-library on npm has been identified as a malicious package (versions 10.0.1, 10.0.2, 10.0.3 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-005746IN-MAL-2026-005747IN-MAL-2026-005745

References

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection