VYPR

npm · Malicious package advisory

Malware

rtc-integration-frontend-sdk

MAL-2026-10129

Malicious code in rtc-integration-frontend-sdk (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (acfd49527fb8be1135feb424b68f6c46779ba146d8372d276eac1735770d6e5a)
rtc-integration-frontend-sdk@99.9.0 registers a postinstall lifecycle hook ("postinstall": "node index.js") that fires automatically on npm install. index.js collects installer host reconnaissance — os.hostname(), userInfo().username, platform/arch, local network interface addresses, the public IP resolved via a call to https://api.ipify.org, the current working directory, and the package name — and POSTs the collected data to a hardcoded Discord webhook at discord.com/api/webhooks/. The package name and 99.9.0 version shape are consistent with a typosquat/version-bump lure; installing the package causes unconditional install-time exfiltration of host identifiers to an attacker-controlled endpoint.

Compromised versions (1)

  • 99.9.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.