{"id":"MAL-2026-4641","summary":"Malicious code in platform-tempo (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (6d1c69e098c3ebeb2876b746523bea0220034b429f58e0a55683f0ee2c8776cd)\nplatform-tempo@99.0.1 declares a `preinstall` hook that runs `poc.js` on every `npm install`. The script collects host identity (`os.hostname()`, `whoami /all` / `id`, `ipconfig` / `ip a`), the parent project's `package.json`, git remotes, CI configuration files (`.gitlab-ci.yml`, `.github/workflows/*`, `Jenkinsfile`, `azure-pipelines.yml`), and a curated dump of environment variables matching TOKEN/AWS/AZURE/NPM/GITHUB/GITLAB/CI patterns. The collected data is HTTPS POSTed to a hardcoded interactsh OAST domain (`d8a5d9pon5bugoc35cngp9hcregcqyezu.oast.me`) with the package name as the path, plus a DNS beacon to the same host. The package name `platform-tempo` combined with version `99.0.1` is the canonical dependency-confusion shape — designed to be auto-resolved by an internal package resolver in preference to a private package of the same name. Self-described `bug bounty` framing in the package description does not change the install-time impact on any third party whose resolver picks up this public name: their CI tokens, cloud credentials, and source-tree metadata are shipped to the attacker-controlled OAST endpoint.\n","modified":"2026-05-26T06:02:49.171729486Z","published":"2026-05-25T14:15:52Z","database_specific":{"malicious-packages-origins":[{"source":"amazon-inspector","modified_time":"2026-05-25T14:15:52Z","sha256":"6d1c69e098c3ebeb2876b746523bea0220034b429f58e0a55683f0ee2c8776cd","versions":["99.0.1"],"id":"IN-MAL-2026-004684","import_time":"2026-05-26T05:53:04.964372908Z"},{"source":"amazon-inspector","modified_time":"2026-05-25T14:15:52Z","sha256":"8044888825f16fece5bebc27183d2ee55938d631672343c0b50fd3a0550cad57","versions":["99.0.1"],"id":"IN-MAL-2026-004685","import_time":"2026-05-26T05:53:05.089700522Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/platform-tempo/v/99.0.1"}],"affected":[{"package":{"name":"platform-tempo","ecosystem":"npm","purl":"pkg:npm/platform-tempo"},"versions":["99.0.1"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/platform-tempo/MAL-2026-4641.json","cwes":[{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"}],"indicators":{"domains":["platform-tempo-7363616e2d39323134653765316335.d8a5d9pon5bugoc35cngp9hcregcqyezu.oast.me","d8a5d9pon5bugoc35cngp9hcregcqyezu.oast.me"],"package_integrity":[{"filename":"platform-tempo-99.0.1.tgz","hashes":{"sha512_sri":"sha512-LAnE1N6OAIB1GtxlhGbkX0dJOH8J1ZAtGR8wZSf2iMCHGa565sGRA6QUhx8ug4HlD6PgKSs0pAVQZMA6etOpdg==","sha1":"f89bd38ac141997e97df67b3edfc040abbcce8c5"}}],"evidence_files":[{"tlsh":"7371b79482fa1e3022aa7571b5cd000522d7d3933206f9d4798c1a915f9e4b482f67bd","path":"poc.js","sha256":"136ab46ea6423a9d7b9fffb0b287f3a2ae38bb43af03cda7c2b3b762b4a08681"},{"tlsh":"1ce07d781524143317d8c3fe15f644479128cd0b5108ac1d4753348c43eeb63457fb5e","path":"package.json","sha256":"5d90a8ff451a82a001f26402727f428434c0b6cded835cf9873544865b4356bf"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}