{"id":"MAL-2026-5707","summary":"Malicious code in ttspc-server-sample (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (98ea79d9fce12a87d3949dc748617f8077a1ae0822fadab451c27d2c8a2feb9b)\nttspc-server-sample@99.9.0 declares `postinstall: node index.js` in package.json, so on `npm install` it automatically executes index.js. The script collects the installer's hostname, username, current working directory, network interface IPs/MACs, OS info, the presence of env vars including credential-shaped names (APP_KEY/APP_SECRET/etc.), and the full process list (`ps aux` on Unix, `tasklist /V` on Windows), then HTTP POSTs the JSON payload to a hardcoded Burp Collaborator endpoint at http://dduqpvg687wohv3ymaiaa3j2etks8swh.oastify.com (with a secondary reference to http://your-id.burpcollaborator.net). The package self-labels via `X-PoC-Type: dependency-confusion` / `X-PoC-Package: ttspc-server-sample` headers and uses an inflated 99.9.0 version designed to win semver resolution against a victim org's private internal package of the same name. Even framed as a PoC, the install-time exfiltration of host identifiers, internal IP addresses, credential-variable names, and running process inventory to an attacker-controlled OAST host is a real supply-chain attack against any installer that resolves this public package instead of the intended private one.\n\n## Source: ossf-package-analysis (91d0c4ae89a4f630e59ca4960fdff3832c8fa9d4b7dbbdf148abe39b260c7ec8)\nThe OpenSSF Package Analysis project identified 'ttspc-server-sample' @ 99.9.0 (npm) as malicious.\n\nIt is considered malicious because:\n\n- The package communicates with a domain associated with malicious activity.\n","modified":"2026-06-12T20:01:57.779252310Z","published":"2026-06-12T19:03:04Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-06-12T19:43:39.174310688Z","sha256":"42431437432238c5e538914744de6f640582830a717f2625f3dac00be71c3b62","modified_time":"2026-06-12T19:03:05Z","id":"IN-MAL-2026-005842","source":"amazon-inspector","versions":["99.9.0"]},{"import_time":"2026-06-12T19:43:30.193877277Z","sha256":"91d0c4ae89a4f630e59ca4960fdff3832c8fa9d4b7dbbdf148abe39b260c7ec8","modified_time":"2026-06-12T19:14:47Z","source":"ossf-package-analysis","versions":["99.9.0"]},{"import_time":"2026-06-12T19:43:39.07759391Z","sha256":"98ea79d9fce12a87d3949dc748617f8077a1ae0822fadab451c27d2c8a2feb9b","modified_time":"2026-06-12T19:03:04Z","id":"IN-MAL-2026-005841","source":"amazon-inspector","versions":["99.9.0"]}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/ttspc-server-sample/v/99.9.0"}],"affected":[{"package":{"name":"ttspc-server-sample","ecosystem":"npm","purl":"pkg:npm/ttspc-server-sample"},"versions":["99.9.0"],"database_specific":{"cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"indicators":{"domains":["dduqpvg687wohv3ymaiaa3j2etks8swh.oastify.com"],"package_integrity":[{"filename":"ttspc-server-sample-99.9.0.tgz","hashes":{"sha512_sri":"sha512-tSf1z5UOp7nM/H1rgzsUgX7u7HvYQRowqAeAnH3o8BDnEEYwsgP4xdGY4QwBi7S6ipOIK/neEBeO9wyxhJiLeg==","sha1":"b0f881b131d100bce0b13f4b15bec64cc03bc388"}}],"evidence_files":[{"tlsh":"01c150b501f2a62536e6f65d9a0ba111ba1cf0033e09f9a57d9cb3511fcd514c3b2af8","sha256":"ba52629bd381bb56bf30901699e5b3b142bc251cc2f9993b9e8da365a11aa246","path":"index.js"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ttspc-server-sample/MAL-2026-5707.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"},{"name":"OpenSSF: Package Analysis","contact":["https://github.com/ossf/package-analysis","https://openssf.slack.com/channels/package_analysis"],"type":"FINDER"}]}