Which versions of webpack-patch are malicious?

The following npm versions of webpack-patch are flagged malicious: 1.1.7. Treat any of these as compromised.

How do I remediate webpack-patch if I installed it?

Remove webpack-patch from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is webpack-patch part of a known attack campaign?

Yes — webpack-patch is associated with the IN-MAL-2026-005546 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect webpack-patch in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking webpack-patch and packages like it before any post-install script runs.

Malicious package

webpack-patchnpm

Malicious code in webpack-patch (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5581

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall webpack-patch

What this malware does

Package impersonates the webpack ecosystem but is unrelated to webpack. When the exported middleware is invoked, index.js spawns a detached node lib/caller.js child. caller.js fetches https://jsonkeeper.com/b/XRGF3 via axios and passes the response's .cookie field to new Function.constructor('require', s)(require), executing attacker-controlled JavaScript with full Node privileges and a retry loop. The C2 URL and HTTP header name/value are stored as base64 strings under sham process.env keys (DEV_API_KEY base64-decodes to https://jsonkeeper.com/b/XRGF3); a sibling const.js variant points at https://jsonkeeper.com/b/4NAKK, providing pivot URLs if the primary paste is removed. jsonkeeper.com is an anonymous mutable paste host — whoever controls the paste controls arbitrary code execution on every consumer that loads webpack-patch and exercises its API. The package.json description is generic boilerplate copied from an unrelated security policy, and the main is a fake pino-style middleware whose only meaningful effect is launching the dropper.

Malicious versions

1 flagged

1.1.7

Indicators of compromise (SHA-256)

d0f5ce3525e99528190ba5217a777184e302d46050fc23bef173de6fda240eba

Frequently asked questions

No. webpack-patch on npm has been identified as a malicious package (version 1.1.7 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-005546

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection