npm · Malicious package advisory
Malware@telenor-se/core
MAL-2026-5156
Malicious code in @telenor-se/core (npm)
Details
Dependency confusion attack campaign targeting Scandinavian telecommunications and digital services organizations (Telenor, Ownit, Vimla, and Customer 360 / C360). Four packages published by the `debating0166` npm account use inflated version numbers (99.0.x) to win npm registry resolution over private internal packages of the same names. A shared `callback.js` executed via the `preinstall` hook collects system reconnaissance data: hostname, username, working directory, platform, network interfaces, npm registry configuration, and environment variables matching organization-specific and CI/CD patterns (`telenor`, `ownit`, `vimla`, `c360`, `customer`, `threesixty`, `maui`, CI tokens, pipeline variables) and exfiltrates the payload via HTTP POST to `128.199.50.160:8888/depconf`. This package impersonates `@telenor-se/core`, an internal package of Telenor Sweden. Version 99.0.0 was published to resolve ahead of any private registry copy.