Which versions of unleash-js are malicious?

The following npm versions of unleash-js are flagged malicious: 99.9.1. Treat any of these as compromised.

How do I remediate unleash-js if I installed it?

Remove unleash-js from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is unleash-js part of a known attack campaign?

Yes — unleash-js is associated with the IN-MAL-2026-005058, IN-MAL-2026-005057 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect unleash-js in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking unleash-js and packages like it before any post-install script runs.

Malicious package

unleash-jsnpm

Malicious code in unleash-js (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-4827

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall unleash-js

What this malware does

[email protected] is an empty stub package (index.js exports {}, 35 bytes; no author, no description) whose sole effect is to pull a chained dependency ltidisafe from an arbitrary tarball URL on a third-party Google Cloud Storage bucket: https://ltidi.storage.googleapis.com/depenconf/ltidisafe-2.7.7.tgz. The host is not the package publisher's domain, the tarball is unpinned by hash, and the bucket is mutable — any installer running npm install unleash-js will fetch and execute whatever bytes currently sit at that URL, including any lifecycle scripts (preinstall/install/postinstall) inside the fetched tarball. The 99.9.1 version, empty metadata, and depenconf path segment are consistent with a dependency-confusion squat targeting an internal package name; the stub's only purpose is to act as a loader for the externally hosted payload.

The OpenSSF Package Analysis project identified 'unleash-js' @ 99.9.1 (npm) as malicious.

It is considered malicious because:

The package communicates with a domain associated with malicious activity.

Malicious versions

1 flagged

99.9.1

Indicators of compromise (SHA-256)

d00549f2feef5f3af06b3625effca261dd2be514ae05dc1b21c60e3cb9d1b23b

3767c7f2a916b57669b72ccc6532d0ded6fb74bf6dd3ffe79fe72dcf13d47e9b

f3315b3ff9fe481a7a008cff1227c2449dd8762bdf0abbe1a6194954306c745d

Frequently asked questions

No. unleash-js on npm has been identified as a malicious package (version 99.9.1 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-005058IN-MAL-2026-005057

References

npmjs.com

Credits

Amazon Inspector · finder
OpenSSF: Package Analysis · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection