Which versions of wm-mapper are malicious?

The following npm versions of wm-mapper are flagged malicious: 99.9.1. Treat any of these as compromised.

How do I remediate wm-mapper if I installed it?

Remove wm-mapper from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is wm-mapper part of a known attack campaign?

Yes — wm-mapper is associated with the IN-MAL-2026-005060, IN-MAL-2026-005059 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect wm-mapper in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking wm-mapper and packages like it before any post-install script runs.

Malicious package

wm-mappernpm

Malicious code in wm-mapper (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-4826

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall wm-mapper

What this malware does

[email protected] is an empty stub (index.js is 35 bytes exporting {}, no description, no author) published at an artificially high version (99.9.1) consistent with dependency-confusion attacks against an internal package of the same name. Its package.json declares its sole runtime dependency as a direct HTTPS tarball URL — "ltidisafe": "https://ltidi.storage.googleapis.com/depenconf/ltidisafe-2.7.5.tgz" — bypassing the npm registry entirely. The path segment literally contains depenconf (dependency confusion). On npm install, npm fetches that tarball from an anonymous Google Cloud Storage bucket and executes any lifecycle scripts (preinstall/install/postinstall) it declares. The bucket contents are not vetted by the registry, are mutable server-side after publication, and the bucket owner has no apparent affiliation with the host package. The host package's only effect on installers is to drag arbitrary, swappable, attacker-controlled code into the install tree.

The OpenSSF Package Analysis project identified 'wm-mapper' @ 99.9.1 (npm) as malicious.

It is considered malicious because:

The package communicates with a domain associated with malicious activity.

Malicious versions

1 flagged

99.9.1

Indicators of compromise (SHA-256)

d3ca8c31fe1e2448adc737f90ef9278202575bc77d3a4a5206e62920219e54a0

aeb5bc616333f6ae1c6d1aedd16a0ed444fbf405fb3131b1ce45556810c3b5dd

380f281f71ec04bc9867a9b12d46852936494de6d2be3df55b1422bde2f5f01d

Frequently asked questions

No. wm-mapper on npm has been identified as a malicious package (version 99.9.1 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-005060IN-MAL-2026-005059

References

npmjs.com

Credits

Amazon Inspector · finder
OpenSSF: Package Analysis · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection