npm · Malicious package advisory
Malware@tse-digital/core
MAL-2026-5157
Malicious code in @tse-digital/core (npm)
Details
Dependency confusion attack campaign targeting Scandinavian telecommunications and digital services organizations (Telenor, Ownit, Vimla, and Customer 360 / C360). Four packages published by the `debating0166` npm account use inflated version numbers (99.0.x) to win npm registry resolution over private internal packages of the same names. A shared `callback.js` executed via the `preinstall` hook collects system reconnaissance data: hostname, username, working directory, platform, network interfaces, npm registry configuration, and environment variables matching organization-specific and CI/CD patterns (`telenor`, `ownit`, `vimla`, `c360`, `customer`, `threesixty`, `maui`, CI tokens, pipeline variables) and exfiltrates the payload via HTTP POST to `128.199.50.160:8888/depconf`. This package impersonates `@tse-digital/core`, an internal package of TSE Digital, a digital services entity connected to the Telenor group. Version 99.0.0 was published to resolve ahead of any private registry copy.