VYPR

npm · Malicious package advisory

Malware

tempo-components

MAL-2026-4685

Malicious code in tempo-components (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (6790e6e83af71238b9773ae49568f5374d094d23d1a7247ef4560d645ef64024)
The package contains a file (poc.js) that imports os, https, fs, and child_process; collects host identifiers including os.hostname(), os.platform(), and the output of `whoami`; and POSTs the data via https.request to an external endpoint. This is a classic system-reconnaissance and exfiltration shape with no benign interpretation for a package distributed under a 'components' name. Installing or loading this code on a build or developer machine causes host metadata and identity information to be transmitted off-host.

Compromised versions (1)

  • 99.0.1

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.