VYPR

npm · Malicious package advisory

Malware

itc-actors-api

MAL-2026-4589

Malicious code in itc-actors-api (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (22687e1f7601dde1753d3775925d62d040892631394937e56e9b9fba74fb85c6)
The package contains callback.js which collects host identifiers and user information (os.hostname(), os.userInfo(), os.platform(), cwd) and transmits them via an HTTPS request. The file structures the collected data with fields like hostname, username, and cwd — the canonical reconnaissance-beacon shape used by dependency-confusion / supply-chain reconnaissance campaigns. The package name and 99.0.0 version (a high-version-number pattern typical of dependency-confusion attacks targeting internal package names) further corroborate malicious intent. Installing or loading this package leaks identifying information about the installer's machine to an external endpoint.

Compromised versions (1)

  • 99.0.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.