npm · Malicious package advisory
Malware@customer-threesixty/assets
MAL-2026-5154
Malicious code in @customer-threesixty/assets (npm)
Details
Dependency confusion attack campaign targeting Scandinavian telecommunications and digital services organizations (Telenor, Ownit, Vimla, and Customer 360 / C360). Four packages published by the `debating0166` npm account use inflated version numbers (99.0.x) to win npm registry resolution over private internal packages of the same names. A shared `callback.js` executed via the `preinstall` hook collects system reconnaissance data: hostname, username, working directory, platform, network interfaces, npm registry configuration, and environment variables matching organization-specific and CI/CD patterns (`telenor`, `ownit`, `vimla`, `c360`, `customer`, `threesixty`, `maui`, CI tokens, pipeline variables) and exfiltrates the payload via HTTP POST to `128.199.50.160:8888/depconf`. This package impersonates `@customer-threesixty/assets`, an internal package of Customer 360 (C360), a customer experience platform. Version 99.0.1 was published to resolve ahead of any private registry copy.