{"id":"MAL-2026-4252","summary":"Malicious code in @43uh3ig43/telemetry-client (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (37d4a096b834c0d9acdddefee09b0c6cb4d8c6f68513b2ebb4ec88424f491e89)\nOn npm install, the package's preinstall, install, and postinstall lifecycle hooks all invoke telemetry.js, which collects host metadata (OS, architecture, Node version, pid) and CI-provider identification (probing GITHUB_ACTIONS, AZURE_DEVOPS, JENKINS_HOME environment variables), hex-encodes the JSON payload, and exfiltrates it via DNS lookups to subdomains of d87vcrdfokaufbs0qf903rg6tp9to7jpe.oast.pro — a Project Discovery interactsh out-of-band server. The exfil destination is split-string concatenated at telemetry.js:15 (`\"d87vcrdfokaufbs0\"+\"qf903rg6tp9to7jpe\"+\".\"+\"oa\"+\"st\"+\".\"+\"pro\"`) specifically to evade naive static grep. The package's user-facing index.js is a stub that only logs a string; the real behavior is the install-time beacon. Combined with the random-looking scope, anomalously high version (99.0.1), and UNLICENSED metadata, this is the canonical fingerprint of a dependency-confusion / supply-chain recon probe — designed to trigger from corporate build systems whose internal package names collide with this scope and to phone home with enough host context to identify the victim organization.\n\n## Source: ossf-package-analysis (bf448f47154495a6c9e04750e66ab6c67cbcc98809f05d7d4d97c297461d3862)\nThe OpenSSF Package Analysis project identified '@43uh3ig43/telemetry-client' @ 99.0.1 (npm) as malicious.\n\nIt is considered malicious because:\n\n- The package communicates with a domain associated with malicious activity.\n","modified":"2026-05-26T06:01:51.171040522Z","published":"2026-05-22T06:28:38Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-05-22T07:48:02.178676929Z","modified_time":"2026-05-22T07:05:50Z","source":"ossf-package-analysis","sha256":"bf448f47154495a6c9e04750e66ab6c67cbcc98809f05d7d4d97c297461d3862","versions":["99.0.1"]},{"import_time":"2026-05-26T05:52:02.198612438Z","sha256":"2cfd4ae6b32f9425af323ba62839f08fdf413cfe955a027662171781ba0f30ed","source":"amazon-inspector","versions":["99.0.1"],"id":"IN-MAL-2026-004152","modified_time":"2026-05-22T06:28:39Z"},{"import_time":"2026-05-26T05:52:02.093742844Z","versions":["99.0.1"],"source":"amazon-inspector","modified_time":"2026-05-22T06:28:38Z","id":"IN-MAL-2026-004151","sha256":"37d4a096b834c0d9acdddefee09b0c6cb4d8c6f68513b2ebb4ec88424f491e89"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@43uh3ig43/telemetry-client/v/99.0.1"}],"affected":[{"package":{"name":"@43uh3ig43/telemetry-client","ecosystem":"npm","purl":"pkg:npm/%4043uh3ig43%2Ftelemetry-client"},"versions":["99.0.1"],"database_specific":{"cwes":[{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@43uh3ig43/telemetry-client/MAL-2026-4252.json","indicators":{"package_integrity":[{"hashes":{"sha512_sri":"sha512-rpbkCihROyW2XeGlckpK3kUko//kxw8dDFVNajGSeCsleJ/eAGoCCIVbkvZbbISApiegfHXvXoGlMrBjctmaDQ==","sha1":"72a3615cd15ac27c6d907f0bbb51b191efcca869"},"filename":"telemetry-client-99.0.1.tgz"}],"evidence_files":[{"sha256":"612e8a1549cd4dea5400ed9375aebc9d3d630e2fcc4b681750dbec489de5a748","path":"telemetry.js","tlsh":"1b4174ae59e8312911722468f81f4b41a1b7e2231e34f995f89bc3b41fe19bc11f86f4"},{"sha256":"53003d2639c4e3cbbf263d6127bee2a04e3eac152fbb227162b96595d86cb0c4","tlsh":"4df08b386e2649372dd127a3da7744c1b37a0d770509380c2b83060d8a8e52f25ff32e","path":"package.json"}],"domains":["p4.77645f68617368223a302c22706964223a32337d.te1c.d87vcrdfokaufbs0qf903rg6tp9to7jpe.oast.pro","k.te1c.d87vcrdfokaufbs0qf903rg6tp9to7jpe.oast.pro","p4.77645f68617368223a302c22706964223a33347d.te1c.d87vcrdfokaufbs0qf903rg6tp9to7jpe.oast.pro","p1.227473223a313737393433313238373439372c226f73223a22.te1c.d87vcrdfokaufbs0qf903rg6tp9to7jpe.oast.pro","p4.77645f68617368223a302c22706964223a34357d.te1c.d87vcrdfokaufbs0qf903rg6tp9to7jpe.oast.pro","c.te1c.d87vcrdfokaufbs0qf903rg6tp9to7jpe.oast.pro","p0.7b22736368656d61223a312c22626964223a2274653163222c.te1c.d87vcrdfokaufbs0qf903rg6tp9to7jpe.oast.pro","p3.696d65223a227631382e32302e38222c226369223a302c2263.te1c.d87vcrdfokaufbs0qf903rg6tp9to7jpe.oast.pro","p1.227473223a313737393433313238353330392c226f73223a22.te1c.d87vcrdfokaufbs0qf903rg6tp9to7jpe.oast.pro","p1.227473223a313737393433313238323430332c226f73223a22.te1c.d87vcrdfokaufbs0qf903rg6tp9to7jpe.oast.pro","p2.6c696e7578222c2261726368223a22783634222c2272756e74.te1c.d87vcrdfokaufbs0qf903rg6tp9to7jpe.oast.pro"]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"},{"name":"OpenSSF: Package Analysis","contact":["https://github.com/ossf/package-analysis","https://openssf.slack.com/channels/package_analysis"],"type":"FINDER"}]}