npm · Malicious package advisory
Malwaretempo-components
MAL-2026-4685
Malicious code in tempo-components (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (6790e6e83af71238b9773ae49568f5374d094d23d1a7247ef4560d645ef64024) The package contains a file (poc.js) that imports os, https, fs, and child_process; collects host identifiers including os.hostname(), os.platform(), and the output of `whoami`; and POSTs the data via https.request to an external endpoint. This is a classic system-reconnaissance and exfiltration shape with no benign interpretation for a package distributed under a 'components' name. Installing or loading this code on a build or developer machine causes host metadata and identity information to be transmitted off-host.
Compromised versions (1)
- 99.0.1
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.