VYPR

npm · Malicious package advisory

Malware

tempo-modules

MAL-2026-4687

Malicious code in tempo-modules (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (6ad4276e2eafbe6d7040f94ac546ec20e7ac211e1e5906964c25f581a519d183)
tempo-modules@99.0.1 is a dependency-confusion attack package. The package.json preinstall hook executes poc.js, which on every `npm install` harvests hostname, username, full network configuration (ipconfig/ip a/resolv.conf), git remote, parent package.json, and CI pipeline definitions (.gitlab-ci.yml,.github/workflows, Jenkinsfile, azure-pipelines.yml), plus whoami/id output. It then iterates process.env and selects any key containing TOKEN, AWS, AZURE, NPM, GITHUB, GITLAB, CI, JENKINS, BUILD, WALMART, etc. — bulk credential scraping of cloud and CI tokens. The collected JSON is POSTed to https://d8a5d9pon5bugoc35cngp9hcregcqyezu.oast.me/<pkg> (an Interactsh out-of-band collector), with a hex-encoded host-user identifier additionally DNS-exfiltrated. The package is published at version 99.0.1 with an internal-sounding name to win dependency-confusion resolution against an organization's private registry; the description self-identifies as a 'Dependency Confusion PoC' for a bug-bounty program, but the published artifact harms any installer that resolves this name. Multiple independent block signals stack: lifecycle preinstall outbound exfil, bulk credential harvest of CI/cloud tokens, and dependency-confusion version inflation.

Compromised versions (1)

  • 99.0.1

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.