{"id":"MAL-2026-2523","summary":"Malicious code in @telekom-wfa/auth-core (npm)","details":"Package is malware. Hardcoded Telegram credentials, data exfiltration, and preinstall script execution indicate malicious intent.\n\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (9a2fe12e5542ae8cf1cf339c13c3480629ccfd6e2fb391427c4f1b17bbdc9f85)\nThe package @telekom-wfa/auth-core was found to contain malicious code.\n","modified":"2026-04-10T17:36:05.508275Z","published":"2026-04-09T08:25:05Z","database_specific":{"malicious-packages-origins":[{"versions":["99.9.11"],"source":"amazon-inspector","sha256":"9a2fe12e5542ae8cf1cf339c13c3480629ccfd6e2fb391427c4f1b17bbdc9f85","modified_time":"2026-04-10T17:02:58Z","import_time":"2026-04-10T17:21:50.426527066Z"}]},"references":[{"type":"REPORT","url":"https://app.safedep.io/community/malysis/01KNBNBBC056KN155K3GGBG0NV"}],"affected":[{"package":{"name":"@telekom-wfa/auth-core","ecosystem":"npm","purl":"pkg:npm/%40telekom-wfa/auth-core"},"versions":["99.9.11"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@telekom-wfa/auth-core/MAL-2026-2523.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"},{"name":"SafeDep","contact":["https://safedep.io"],"type":"FINDER"}]}