{"id":"MAL-2026-5156","summary":"Malicious code in @telenor-se/core (npm)","details":"Dependency confusion attack campaign targeting Scandinavian telecommunications and digital services organizations (Telenor, Ownit, Vimla, and Customer 360 / C360). Four packages published by the `debating0166` npm account use inflated version numbers (99.0.x) to win npm registry resolution over private internal packages of the same names. A shared `callback.js` executed via the `preinstall` hook collects system reconnaissance data: hostname, username, working directory, platform, network interfaces, npm registry configuration, and environment variables matching organization-specific and CI/CD patterns (`telenor`, `ownit`, `vimla`, `c360`, `customer`, `threesixty`, `maui`, CI tokens, pipeline variables) and exfiltrates the payload via HTTP POST to `128.199.50.160:8888/depconf`.\n\nThis package impersonates `@telenor-se/core`, an internal package of Telenor Sweden. Version 99.0.0 was published to resolve ahead of any private registry copy.","modified":"2026-06-02T10:46:38.144243322Z","published":"2026-06-01T08:00:00Z","database_specific":{"malicious-packages-origins":null},"affected":[{"package":{"name":"@telenor-se/core","ecosystem":"npm","purl":"pkg:npm/%40telenor-se%2Fcore"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"}]}],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@telenor-se/core/MAL-2026-5156.json"}}],"schema_version":"1.7.5","credits":[{"name":"SafeDep","contact":["https://safedep.io"],"type":"FINDER"}]}