Which versions of via-city-tools-m-particle are malicious?

The following npm versions of via-city-tools-m-particle are flagged malicious: 99.9.1. Treat any of these as compromised.

How do I remediate via-city-tools-m-particle if I installed it?

Remove via-city-tools-m-particle from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is via-city-tools-m-particle part of a known attack campaign?

Yes — via-city-tools-m-particle is associated with the IN-MAL-2026-005064, IN-MAL-2026-005063 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect via-city-tools-m-particle in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking via-city-tools-m-particle and packages like it before any post-install script runs.

Malicious package

via-city-tools-m-particlenpm

Malicious code in via-city-tools-m-particle (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5456

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall via-city-tools-m-particle

What this malware does

The package exports an empty object (module.exports = {}) and has no functionality of its own. Its only substantive effect is to declare a dependency on ltidisafe pinned to the off-registry tarball URL https://ltidi.storage.googleapis.com/depenconf/ltidisafe-2.7.6.tgz. Installing this package causes npm to fetch and install that arbitrary tarball — hosted in a generic Google Cloud Storage bucket with no registry integrity guarantees and no publisher binding — and any lifecycle scripts (preinstall/install/postinstall) inside it run automatically on the installer's machine. The package metadata is hollow (empty description, empty author, no repository), and the unscoped name via-city-tools-m-particle resembles legitimate scoped tooling, consistent with a dependency-confusion lure whose only purpose is to smuggle the off-registry tarball into target build environments.

Malicious versions

1 flagged

99.9.1

Indicators of compromise (SHA-256)

154a8595ab694cc8aa24f5b7f09922ac9a6a26fe8c5a22c6297a64d129a11cff

bc5c4f690e0399edc4408e7729291803db7916ed764bcfe16988f4cdccd5cfc1

Frequently asked questions

No. via-city-tools-m-particle on npm has been identified as a malicious package (version 99.9.1 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-005064IN-MAL-2026-005063

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection