npm · Malicious package advisory
Malwareitc-actors-api
MAL-2026-4589
Malicious code in itc-actors-api (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (22687e1f7601dde1753d3775925d62d040892631394937e56e9b9fba74fb85c6) The package contains callback.js which collects host identifiers and user information (os.hostname(), os.userInfo(), os.platform(), cwd) and transmits them via an HTTPS request. The file structures the collected data with fields like hostname, username, and cwd — the canonical reconnaissance-beacon shape used by dependency-confusion / supply-chain reconnaissance campaigns. The package name and 99.0.0 version (a high-version-number pattern typical of dependency-confusion attacks targeting internal package names) further corroborate malicious intent. Installing or loading this package leaks identifying information about the installer's machine to an external endpoint.
Compromised versions (1)
- 99.0.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.