Which versions of web-model-bridge are malicious?

The following npm versions of web-model-bridge are flagged malicious: 9999.99.99. Treat any of these as compromised.

How do I remediate web-model-bridge if I installed it?

Remove web-model-bridge from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is web-model-bridge part of a known attack campaign?

Yes — web-model-bridge is associated with the IN-MAL-2026-005753, IN-MAL-2026-005752 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect web-model-bridge in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking web-model-bridge and packages like it before any post-install script runs.

Malicious package

web-model-bridgenpm

Malicious code in web-model-bridge (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5697

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall web-model-bridge

What this malware does

On npm install, postinstall.js sends an HTTPS POST to https://ddactic-lab.online/sc/beacon carrying the package name/version, Node version, OS, CI-detection result, and the GITHUB_REPOSITORY, GITHUB_REPOSITORY_OWNER, and GITHUB_WORKFLOW environment variables when present. A DNS-lookup fallback encodes the same identifiers as a subdomain under *.b.ddactic-lab.online so the leak still completes even when HTTP egress is filtered — a pattern intended specifically to defeat egress controls. The package itself is a hollow placeholder: package.json describes it as an npm 404 error reference and index.js does nothing but require('web-model-bridge') (its own name) inside a try/catch, so the only effect of installing it is the install-time beacon. Any CI pipeline whose dependency tree references this name will leak the owning GitHub org/repo/workflow identity to an unrelated third-party domain on every build.

Malicious versions

1 flagged

9999.99.99

Indicators of compromise (SHA-256)

14168589320a79c49b3c70ac3698ae673609824ecff707dc60fe0d04ad789003

3d2c385c177531c421e5a49f41d931890a48c16c921b23cc20f2bf4cd8fae893

Frequently asked questions

No. web-model-bridge on npm has been identified as a malicious package (version 9999.99.99 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-005753IN-MAL-2026-005752

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection