Which versions of webpack-cache-reset are malicious?

The following npm versions of webpack-cache-reset are flagged malicious: 0.1.4. Treat any of these as compromised.

How do I remediate webpack-cache-reset if I installed it?

Remove webpack-cache-reset from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is webpack-cache-reset part of a known attack campaign?

Yes — webpack-cache-reset is associated with the IN-MAL-2026-005545, IN-MAL-2026-005543 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect webpack-cache-reset in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking webpack-cache-reset and packages like it before any post-install script runs.

Malicious package

webpack-cache-resetnpm

Malicious code in webpack-cache-reset (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5580

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall webpack-cache-reset

What this malware does

On npm install, the package's postinstall hook runs loader.js, which hex-decodes the URL https://jsonkeeper.com/b/INN1F (an anonymous JSON paste host), fetches the response, writes the embedded manifest.session payload to a temporary.js file, and require()'s it inside a detached child node process — executing attacker-controlled JavaScript on the installer's machine. The URL is obfuscated via Buffer.from(<hex>, 'hex') and the temporary file is cleaned up after load to hide traces. The package additionally impersonates a webpack utility: README is titled 'webpack-cache-plugin' and instructs users to npm install webpack-cache-plugin --save-dev, while the published name is 'webpack-cache-reset' and the declared repository (github.com/webpack-tools/webpack-cache-plugin) does not exist. Installers are lured under a webpack-ecosystem name into running arbitrary remote code at install time.

Malicious versions

1 flagged

0.1.4

Indicators of compromise (SHA-256)

7092bc577f8d9ec2d9b04d6afd5beffb37f4e9d7677a3c378397c0f350766be5

fee0027f45dd4846b52b99120af39a0bca88f8693047612e946cd8d816f36e6c

Frequently asked questions

No. webpack-cache-reset on npm has been identified as a malicious package (version 0.1.4 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-005545IN-MAL-2026-005543

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection