Which versions of webpack-cache-cycle are malicious?

The following npm versions of webpack-cache-cycle are flagged malicious: 0.1.4. Treat any of these as compromised.

How do I remediate webpack-cache-cycle if I installed it?

Remove webpack-cache-cycle from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is webpack-cache-cycle part of a known attack campaign?

Yes — webpack-cache-cycle is associated with the IN-MAL-2026-005548, IN-MAL-2026-005547 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect webpack-cache-cycle in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking webpack-cache-cycle and packages like it before any post-install script runs.

Malicious package

webpack-cache-cyclenpm

Malicious code in webpack-cache-cycle (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5579

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall webpack-cache-cycle

What this malware does

On npm install, package.json's postinstall hook runs node -e "require('./loader.js')". loader.js spawns a detached node process that decodes a hex-encoded URL (https://jsonkeeper.com/b/L435A — an anonymous, mutable paste host), performs an HTTPS GET, writes the response's session field to a temporary.js file, and require()s it — executing attacker-controlled JavaScript on the installer's machine. The URL is obfuscated as a hex literal padded with whitespace inside Buffer.from(...) to evade naive string scanners. The detached spawn lets npm install exit cleanly while the dropper continues asynchronously. The package's advertised purpose is a webpack cache plugin, which does not justify any network access at install time. The package name webpack-cache-cycle and README title webpack-cache-plugin impersonate legitimate webpack tooling, with placeholder author metadata (Webpack Tools) and a non-existent GitHub repository.

Malicious versions

1 flagged

0.1.4

Indicators of compromise (SHA-256)

028ed41ba1afb95bb86e0ae1536f3e9b4a2695fc8490b7d83033ac86440d59c5

82fa37e2478a7109e376e3a062ccb203806511033930eb7390e45fe7ef404b81

Frequently asked questions

No. webpack-cache-cycle on npm has been identified as a malicious package (version 0.1.4 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-005548IN-MAL-2026-005547

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection