npm · Malicious package advisory
Malwarertc-integration-frontend-sdk
MAL-2026-10129
Malicious code in rtc-integration-frontend-sdk (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (acfd49527fb8be1135feb424b68f6c46779ba146d8372d276eac1735770d6e5a)
rtc-integration-frontend-sdk@99.9.0 registers a postinstall lifecycle hook ("postinstall": "node index.js") that fires automatically on npm install. index.js collects installer host reconnaissance — os.hostname(), userInfo().username, platform/arch, local network interface addresses, the public IP resolved via a call to https://api.ipify.org, the current working directory, and the package name — and POSTs the collected data to a hardcoded Discord webhook at discord.com/api/webhooks/. The package name and 99.9.0 version shape are consistent with a typosquat/version-bump lure; installing the package causes unconditional install-time exfiltration of host identifiers to an attacker-controlled endpoint.
Compromised versions (1)
- 99.9.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.