{"id":"MAL-2026-4685","summary":"Malicious code in tempo-components (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (6790e6e83af71238b9773ae49568f5374d094d23d1a7247ef4560d645ef64024)\nThe package contains a file (poc.js) that imports os, https, fs, and child_process; collects host identifiers including os.hostname(), os.platform(), and the output of `whoami`; and POSTs the data via https.request to an external endpoint. This is a classic system-reconnaissance and exfiltration shape with no benign interpretation for a package distributed under a 'components' name. Installing or loading this code on a build or developer machine causes host metadata and identity information to be transmitted off-host.\n","modified":"2026-05-26T06:02:58.847686879Z","published":"2026-05-25T14:15:47Z","database_specific":{"malicious-packages-origins":[{"source":"amazon-inspector","import_time":"2026-05-26T05:53:04.778599014Z","id":"IN-MAL-2026-004682","versions":["99.0.1"],"sha256":"6790e6e83af71238b9773ae49568f5374d094d23d1a7247ef4560d645ef64024","modified_time":"2026-05-25T14:15:47Z"},{"source":"amazon-inspector","import_time":"2026-05-26T05:53:04.869125864Z","modified_time":"2026-05-25T14:15:48Z","versions":["99.0.1"],"sha256":"9f516fddd52133764a3ff124d5ec3f47b7327e7f6df709614b6040dc4eb35b3c","id":"IN-MAL-2026-004683"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/tempo-components/v/99.0.1"}],"affected":[{"package":{"name":"tempo-components","ecosystem":"npm","purl":"pkg:npm/tempo-components"},"versions":["99.0.1"],"database_specific":{"indicators":{"domains":["tempo-components-7363616e2d36313333363566633561.d8a5d9pon5bugoc35cngp9hcregcqyezu.oast.me","d8a5d9pon5bugoc35cngp9hcregcqyezu.oast.me"],"package_integrity":[{"filename":"tempo-components-99.0.1.tgz","hashes":{"sha512_sri":"sha512-Okl8VvweZsIzEMMpromguPoBh2Z7AX8BWdje0yBGlP5Blu0ske8NSFXoSRkjdBDoOgvSgcKJNHgdHTUH863Q0g==","sha1":"1dd86abc7f3a1262803a2740f5ec3d5e36a20938"}}],"evidence_files":[{"tlsh":"d671c7d482fa1e3022aa75b1b5cd040522d7d3933246f9d4798c1a919f9f8b482f67be","sha256":"47b3f821e4bb957a801afa370619987e7535f8527cc245deb5e555e85eff58d5","path":"poc.js"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/tempo-components/MAL-2026-4685.json","cwes":[{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}