npm · Malicious package advisory
Malwaretempo-shared-modules
MAL-2026-4688
Malicious code in tempo-shared-modules (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (bc05637e4f67c7a00ac3b790680f46174243df9c2740a161a029d4b266a79839) On `npm install`, the preinstall script `poc.js` collects host identity (hostname, username, OS/platform), network configuration (ipconfig / ip a / resolv.conf), git remote, the parent project's package.json, CI configuration files (.gitlab-ci.yml,.github/workflows, Jenkinsfile, azure-pipelines.yml), and bulk-scrapes process.env for any variable name matching TOKEN, AWS, AZURE, NPM, GITHUB, GITLAB, CI_, JENKINS, BUILD, or WALMART together with their values. The collected payload is POSTed over HTTPS to the hardcoded interactsh OAST endpoint `d8a5d9pon5bugoc35cngp9hcregcqyezu.oast.me`. The package is published at version 99.0.2 on the public npm registry under a name designed to be resolved by mistake instead of an internal `@livingdesign/react` private package — the canonical dependency-confusion shape. The package's own description self-labels it as a Walmart HackerOne PoC, but it is publicly installable and any non-Walmart installer that resolves it is harmed: their CI tokens, cloud credentials, and pipeline configuration are sent to a third-party OAST callback host. Any one of (preinstall env-credential scrape, hardcoded OAST exfil endpoint, dependency-confusion publication shape) is independently sufficient to block.
Compromised versions (3)
- 99.0.0
- 99.0.1
- 99.0.2
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.