Which versions of webpack-cache-clean are malicious?

The following npm versions of webpack-cache-clean are flagged malicious: 0.1.4. Treat any of these as compromised.

How do I remediate webpack-cache-clean if I installed it?

Remove webpack-cache-clean from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is webpack-cache-clean part of a known attack campaign?

Yes — webpack-cache-clean is associated with the IN-MAL-2026-005544 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect webpack-cache-clean in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking webpack-cache-clean and packages like it before any post-install script runs.

Malicious package

webpack-cache-cleannpm

Malicious code in webpack-cache-clean (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5578

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall webpack-cache-clean

What this malware does

On npm install, the package runs a postinstall hook (node -e "require('./loader.js')") that spawns a detached child process. The child decodes an obfuscated base64 URL (mislabeled as 'hex' with large whitespace padding) resolving to https://jsonkeeper.com/b/L435A, an anonymous JSON paste host, performs an HTTPS GET, extracts JavaScript source from a manifest.session field, writes it to a temp file, and require()s it — with no signature, hash, or pinned-version check. The fetched code runs with the installer's privileges and can be changed by the attacker between fetches. The package metadata is also inconsistent: the package name is webpack-cache-clean, the README is titled webpack-cache-plugin, the repository URL points at webpack-tools/webpack-cache-plugin, and the author is the generic Webpack Tools — a cover story to lure installers searching for legitimate webpack cache tooling. This satisfies install-time-rce: attacker-controlled, unpinned, obfuscated remote code execution fires automatically on default install.

Malicious versions

1 flagged

0.1.4

Indicators of compromise (SHA-256)

8f8656d094ec59721c08eb72a1ec8f1530cd07985edf705032926dd9a19461d9

Frequently asked questions

No. webpack-cache-clean on npm has been identified as a malicious package (version 0.1.4 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-005544

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection