{"id":"MAL-2026-5154","summary":"Malicious code in @customer-threesixty/assets (npm)","details":"Dependency confusion attack campaign targeting Scandinavian telecommunications and digital services organizations (Telenor, Ownit, Vimla, and Customer 360 / C360). Four packages published by the `debating0166` npm account use inflated version numbers (99.0.x) to win npm registry resolution over private internal packages of the same names. A shared `callback.js` executed via the `preinstall` hook collects system reconnaissance data: hostname, username, working directory, platform, network interfaces, npm registry configuration, and environment variables matching organization-specific and CI/CD patterns (`telenor`, `ownit`, `vimla`, `c360`, `customer`, `threesixty`, `maui`, CI tokens, pipeline variables) and exfiltrates the payload via HTTP POST to `128.199.50.160:8888/depconf`.\n\nThis package impersonates `@customer-threesixty/assets`, an internal package of Customer 360 (C360), a customer experience platform. Version 99.0.1 was published to resolve ahead of any private registry copy.","modified":"2026-06-02T10:46:38.147742274Z","published":"2026-06-01T08:00:00Z","database_specific":{"malicious-packages-origins":null},"affected":[{"package":{"name":"@customer-threesixty/assets","ecosystem":"npm","purl":"pkg:npm/%40customer-threesixty%2Fassets"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"}]}],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@customer-threesixty/assets/MAL-2026-5154.json"}}],"schema_version":"1.7.5","credits":[{"name":"SafeDep","contact":["https://safedep.io"],"type":"FINDER"}]}