npm · Malicious package advisory
Malwarettspc-server-sample
MAL-2026-5707
Malicious code in ttspc-server-sample (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (98ea79d9fce12a87d3949dc748617f8077a1ae0822fadab451c27d2c8a2feb9b) ttspc-server-sample@99.9.0 declares `postinstall: node index.js` in package.json, so on `npm install` it automatically executes index.js. The script collects the installer's hostname, username, current working directory, network interface IPs/MACs, OS info, the presence of env vars including credential-shaped names (APP_KEY/APP_SECRET/etc.), and the full process list (`ps aux` on Unix, `tasklist /V` on Windows), then HTTP POSTs the JSON payload to a hardcoded Burp Collaborator endpoint at http://dduqpvg687wohv3ymaiaa3j2etks8swh.oastify.com (with a secondary reference to http://your-id.burpcollaborator.net). The package self-labels via `X-PoC-Type: dependency-confusion` / `X-PoC-Package: ttspc-server-sample` headers and uses an inflated 99.9.0 version designed to win semver resolution against a victim org's private internal package of the same name. Even framed as a PoC, the install-time exfiltration of host identifiers, internal IP addresses, credential-variable names, and running process inventory to an attacker-controlled OAST host is a real supply-chain attack against any installer that resolves this public package instead of the intended private one. ## Source: ghsa-malware (4ddedc3893550000dcaca1eb0331eba8bcce1a131d2da11912a184d7dfd5ab1b) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it. ## Source: ossf-package-analysis (91d0c4ae89a4f630e59ca4960fdff3832c8fa9d4b7dbbdf148abe39b260c7ec8) The OpenSSF Package Analysis project identified 'ttspc-server-sample' @ 99.9.0 (npm) as malicious. It is considered malicious because: - The package communicates with a domain associated with malicious activity.
Compromised versions (6)
- 99.9.0
- 99.9.1
- 9.0.0
- 99.9.2
- 99.9.3
- 9.0.1
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.