{"id":"MAL-2026-4686","summary":"Malicious code in tempo-layout (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (795bf7080d27cef141114dd46b5734c136f762933a43f2d1308e82547c5f99a6)\ntempo-layout@99.0.2 ships a preinstall hook (poc.js) that unconditionally collects host identity (os.hostname, whoami, id), network configuration (ipconfig/ip a/resolv.conf), git remote, parent package.json, CI pipeline files (.gitlab-ci.yml,.github/workflows, Jenkinsfile, azure-pipelines.yml), and a filtered sweep of environment variables matching TOKEN/AWS/AZURE/NPM/GITHUB/GITLAB/JENKINS/WALMART/CI_/BUILD prefixes. The collected JSON is POSTed over HTTPS to a hardcoded interactsh subdomain (d8a5d9pon5bugoc35cngp9hcregcqyezu.oast.me) on `npm install`. The package additionally self-identifies as a dependency-confusion proof-of-concept targeting an internal namespace (@livingdesign/react) and is published to the public npm registry so any organization whose resolver falls through to public npm receives the payload. Regardless of any bug-bounty framing in the metadata, the published artifact harvests installer credentials and CI tokens and ships them off-host on install — this is an installer-side supply-chain attack.\n","modified":"2026-05-26T06:02:58.956225526Z","published":"2026-05-25T13:57:52Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2026-05-25T14:04:54Z","versions":["99.0.1"],"import_time":"2026-05-26T05:53:03.421717477Z","id":"IN-MAL-2026-004670","sha256":"44d04dff489ed1e87d2258e629b6f6b7c6b4090c2f4540e1aa3dab87d2999690","source":"amazon-inspector"},{"modified_time":"2026-05-25T13:57:52Z","versions":["99.0.0"],"import_time":"2026-05-26T05:53:02.146203626Z","id":"IN-MAL-2026-004658","source":"amazon-inspector","sha256":"c3f1e43c7ff8f95617d841a068f59847f92e6487ac024a31cc9e4a765799d7de"},{"modified_time":"2026-05-25T14:09:57Z","versions":["99.0.2"],"sha256":"795bf7080d27cef141114dd46b5734c136f762933a43f2d1308e82547c5f99a6","import_time":"2026-05-26T05:53:04.109100916Z","id":"IN-MAL-2026-004676","source":"amazon-inspector"},{"modified_time":"2026-05-25T13:57:52Z","versions":["99.0.0"],"import_time":"2026-05-26T05:53:02.037284755Z","id":"IN-MAL-2026-004657","sha256":"ada1f3c19a6252264962a2efe3bc53fba1340c3bce76257ef9054ac5e1963a5d","source":"amazon-inspector"},{"modified_time":"2026-05-25T14:04:54Z","versions":["99.0.1"],"source":"amazon-inspector","sha256":"b17d078c4f137d26fb548d86936b2da4ae3b3ab1328d14fed33975ab5a140d3f","import_time":"2026-05-26T05:53:03.545519374Z","id":"IN-MAL-2026-004671"},{"modified_time":"2026-05-25T14:09:58Z","versions":["99.0.2"],"import_time":"2026-05-26T05:53:04.223105075Z","id":"IN-MAL-2026-004677","source":"amazon-inspector","sha256":"b200465f630596d74ae24899022d0a24082514304b201987ca6e4cbecaf317bf"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/tempo-layout/v/99.0.1"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/tempo-layout/v/99.0.2"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/tempo-layout/v/99.0.0"}],"affected":[{"package":{"name":"tempo-layout","ecosystem":"npm","purl":"pkg:npm/tempo-layout"},"versions":["99.0.1","99.0.0","99.0.2"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/tempo-layout/MAL-2026-4686.json","cwes":[{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"}],"indicators":{"domains":["d8a56vpon5budaeafq00tsyj88aqd5m7p.oast.pro","tempo-layout-7363616e2d38663633613365656333.d8a56vpon5budaeafq00tsyj88aqd5m7p.oast.pro"],"package_integrity":[{"filename":"tempo-layout-99.0.1.tgz","hashes":{"sha512_sri":"sha512-kxnGG221LCurEj7DMPDdCGOkQhtIsnUMYshGi352sD7gaHjxFc6HoBAlWHWfFIexSHntJy3SEXEAUbk2KHEyWg==","sha1":"f52f6a14d7f0d04e397ca2dcc388d80660455c6e"}}],"evidence_files":[{"path":"poc.js","sha256":"ecb577737482bd21bf2693c33bb07cb998eb03401ed5f8d8b6a295f19da7b9b4","tlsh":"de3165d615f9647036a7f6c0b0d6ad514367e323b54af8e8258c094123df9f141f92e5"},{"path":"package.json","sha256":"6b4cf996dc6565995b4b6f0f7f24a5ae446b8a301c9a8b65ca70f158e6c0cb17","tlsh":"4ae07d78141020235ad8c3fa05b658479128cd0b11186c1d0757344c43aeb63017eb5e"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}