VYPR

npm · Malicious package advisory

Malware

tempo-layout

MAL-2026-4686

Malicious code in tempo-layout (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (795bf7080d27cef141114dd46b5734c136f762933a43f2d1308e82547c5f99a6)
tempo-layout@99.0.2 ships a preinstall hook (poc.js) that unconditionally collects host identity (os.hostname, whoami, id), network configuration (ipconfig/ip a/resolv.conf), git remote, parent package.json, CI pipeline files (.gitlab-ci.yml,.github/workflows, Jenkinsfile, azure-pipelines.yml), and a filtered sweep of environment variables matching TOKEN/AWS/AZURE/NPM/GITHUB/GITLAB/JENKINS/WALMART/CI_/BUILD prefixes. The collected JSON is POSTed over HTTPS to a hardcoded interactsh subdomain (d8a5d9pon5bugoc35cngp9hcregcqyezu.oast.me) on `npm install`. The package additionally self-identifies as a dependency-confusion proof-of-concept targeting an internal namespace (@livingdesign/react) and is published to the public npm registry so any organization whose resolver falls through to public npm receives the payload. Regardless of any bug-bounty framing in the metadata, the published artifact harvests installer credentials and CI tokens and ships them off-host on install — this is an installer-side supply-chain attack.

Compromised versions (3)

  • 99.0.1
  • 99.0.0
  • 99.0.2

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.