{"id":"MAL-2026-4688","summary":"Malicious code in tempo-shared-modules (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (bc05637e4f67c7a00ac3b790680f46174243df9c2740a161a029d4b266a79839)\nOn `npm install`, the preinstall script `poc.js` collects host identity (hostname, username, OS/platform), network configuration (ipconfig / ip a / resolv.conf), git remote, the parent project's package.json, CI configuration files (.gitlab-ci.yml,.github/workflows, Jenkinsfile, azure-pipelines.yml), and bulk-scrapes process.env for any variable name matching TOKEN, AWS, AZURE, NPM, GITHUB, GITLAB, CI_, JENKINS, BUILD, or WALMART together with their values. The collected payload is POSTed over HTTPS to the hardcoded interactsh OAST endpoint `d8a5d9pon5bugoc35cngp9hcregcqyezu.oast.me`. The package is published at version 99.0.2 on the public npm registry under a name designed to be resolved by mistake instead of an internal `@livingdesign/react` private package — the canonical dependency-confusion shape. The package's own description self-labels it as a Walmart HackerOne PoC, but it is publicly installable and any non-Walmart installer that resolves it is harmed: their CI tokens, cloud credentials, and pipeline configuration are sent to a third-party OAST callback host. Any one of (preinstall env-credential scrape, hardcoded OAST exfil endpoint, dependency-confusion publication shape) is independently sufficient to block.\n","modified":"2026-05-26T06:02:59.505984702Z","published":"2026-05-25T13:57:56Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-004662","modified_time":"2026-05-25T13:57:56Z","versions":["99.0.0"],"sha256":"20b9b8ffa86b1c20c57373cb838ffa8cf2ce24e3252a3743447f558f6735ce80","import_time":"2026-05-26T05:53:02.582660026Z","source":"amazon-inspector"},{"id":"IN-MAL-2026-004669","modified_time":"2026-05-25T14:04:49Z","versions":["99.0.1"],"sha256":"48eb6cac999b06cb5702ab9a8c3331203c4ff1dfaf7b731b787674591c3fdab5","import_time":"2026-05-26T05:53:03.315680949Z","source":"amazon-inspector"},{"versions":["99.0.2"],"modified_time":"2026-05-25T14:09:58Z","id":"IN-MAL-2026-004679","sha256":"70f130e6b964b09838d87156654512b8d6a5aa42b7628b895a5b838abfcdccbb","source":"amazon-inspector","import_time":"2026-05-26T05:53:04.475585589Z"},{"id":"IN-MAL-2026-004668","modified_time":"2026-05-25T14:04:49Z","versions":["99.0.1"],"sha256":"91413a893d29a69728f489d3f1fe7258b54917dcbbb844dea20b6c96300df198","source":"amazon-inspector","import_time":"2026-05-26T05:53:03.216923665Z"},{"id":"IN-MAL-2026-004678","modified_time":"2026-05-25T14:09:58Z","versions":["99.0.2"],"sha256":"bc05637e4f67c7a00ac3b790680f46174243df9c2740a161a029d4b266a79839","import_time":"2026-05-26T05:53:04.354840767Z","source":"amazon-inspector"},{"id":"IN-MAL-2026-004661","modified_time":"2026-05-25T13:57:56Z","versions":["99.0.0"],"sha256":"3f014249f0e3b0768728d347f0d61c96c8e400fc3851c8dcf75c8528cae7e285","import_time":"2026-05-26T05:53:02.470346532Z","source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/tempo-shared-modules/v/99.0.1"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/tempo-shared-modules/v/99.0.2"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/tempo-shared-modules/v/99.0.0"}],"affected":[{"package":{"name":"tempo-shared-modules","ecosystem":"npm","purl":"pkg:npm/tempo-shared-modules"},"versions":["99.0.0","99.0.1","99.0.2"],"database_specific":{"indicators":{"domains":["tempo-shared-modules-7363616e2d38623063656561376162.d8a56vpon5budaeafq00tsyj88aqd5m7p.oast.pro","d8a56vpon5budaeafq00tsyj88aqd5m7p.oast.pro"],"package_integrity":[{"hashes":{"sha1":"97afab8d200fb02d6cf83661daf0a577a2ccb3db","sha512_sri":"sha512-BNXzhlXmOUYjtRVgm8E87767lJaNlwh2Xqd+udf6ZrfiWG4Mmxhn5v3bSYj/1TU6hafQiGpHigolNuPCLoBvwA=="},"filename":"tempo-shared-modules-99.0.1.tgz"}],"evidence_files":[{"tlsh":"033165d619f964b036a6f6c0b0d6ad515767e333b54af8e8218c0a8163cf9f141f92e4","path":"poc.js","sha256":"ced5e45d4fa183c6b96b5d17b299b541ccc936f7fcd3c1eff70ef9d782872ea2"},{"tlsh":"1ae07d78186414231ad8c3fb65b6444ba128cd1b51186c1d0797348c42afb7301bfb5d","path":"package.json","sha256":"aa6a85c1051710b1122650fe43acc5f6b8f478cb5f10093e90a3e108e5719fff"}]},"cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/tempo-shared-modules/MAL-2026-4688.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}