{"id":"MAL-2026-10129","summary":"Malicious code in rtc-integration-frontend-sdk (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (acfd49527fb8be1135feb424b68f6c46779ba146d8372d276eac1735770d6e5a)\nrtc-integration-frontend-sdk@99.9.0 registers a postinstall lifecycle hook (\"postinstall\": \"node index.js\") that fires automatically on npm install. index.js collects installer host reconnaissance — os.hostname(), userInfo().username, platform/arch, local network interface addresses, the public IP resolved via a call to https://api.ipify.org, the current working directory, and the package name — and POSTs the collected data to a hardcoded Discord webhook at discord.com/api/webhooks/. The package name and 99.9.0 version shape are consistent with a typosquat/version-bump lure; installing the package causes unconditional install-time exfiltration of host identifiers to an attacker-controlled endpoint.\n","modified":"2026-07-10T15:32:11.581723478Z","published":"2026-07-10T15:19:04Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-07-10T15:23:37.089962337Z","sha256":"acfd49527fb8be1135feb424b68f6c46779ba146d8372d276eac1735770d6e5a","source":"amazon-inspector","modified_time":"2026-07-10T15:19:04Z","versions":["99.9.0"],"id":"IN-MAL-2026-009613"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/rtc-integration-frontend-sdk/v/99.9.0"}],"affected":[{"package":{"name":"rtc-integration-frontend-sdk","ecosystem":"npm","purl":"pkg:npm/rtc-integration-frontend-sdk"},"versions":["99.9.0"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/rtc-integration-frontend-sdk/MAL-2026-10129.json","indicators":{"evidence_files":[{"sha256":"a3939a87a0d561a005f247c5d671c1740860b801962c948bcb7c653e0d226eba","tlsh":"4c41424e65e27a300e1b1894456b10037357902b7e1cfdd0bf9e81440fa95b8da73bf5","path":"index.js"}],"package_integrity":[{"hashes":{"sha512_sri":"sha512-MEOD/3oi54N/eBIYl1cKr1JVeYSxfar5FM9hTZ1Ao02mB/74u0bxKmAmdndTwAXE8daE5QykjLC4zn77T1/7dA==","sha1":"2719d63f9ab0669a231a41e9ef356b3e632bdb14"},"filename":"rtc-integration-frontend-sdk-99.9.0.tgz"}]},"cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}