VYPR

npm · Malicious package advisory

Malware

platform-tempo

MAL-2026-4641

Malicious code in platform-tempo (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (6d1c69e098c3ebeb2876b746523bea0220034b429f58e0a55683f0ee2c8776cd)
platform-tempo@99.0.1 declares a `preinstall` hook that runs `poc.js` on every `npm install`. The script collects host identity (`os.hostname()`, `whoami /all` / `id`, `ipconfig` / `ip a`), the parent project's `package.json`, git remotes, CI configuration files (`.gitlab-ci.yml`, `.github/workflows/*`, `Jenkinsfile`, `azure-pipelines.yml`), and a curated dump of environment variables matching TOKEN/AWS/AZURE/NPM/GITHUB/GITLAB/CI patterns. The collected data is HTTPS POSTed to a hardcoded interactsh OAST domain (`d8a5d9pon5bugoc35cngp9hcregcqyezu.oast.me`) with the package name as the path, plus a DNS beacon to the same host. The package name `platform-tempo` combined with version `99.0.1` is the canonical dependency-confusion shape — designed to be auto-resolved by an internal package resolver in preference to a private package of the same name. Self-described `bug bounty` framing in the package description does not change the install-time impact on any third party whose resolver picks up this public name: their CI tokens, cloud credentials, and source-tree metadata are shipped to the attacker-controlled OAST endpoint.

Compromised versions (1)

  • 99.0.1

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.