-= Per source details. Do not edit below this line.=-
rtc-integration-frontend-sdk@99.9.0 registers a postinstall lifecycle hook ("postinstall": "node index.js") that fires automatically on npm install. index.js collects installer host reconnaissance — os.hostname(), userInfo().username, platform/arch, local network interface addresses, the public IP resolved via a call to https://api.ipify.org, the current working directory, and the package name — and POSTs the collected data to a hardcoded Discord webhook at discord.com/api/webhooks/. The package name and 99.9.0 version shape are consistent with a typosquat/version-bump lure; installing the package causes unconditional install-time exfiltration of host identifiers to an attacker-controlled endpoint.
{
"malicious-packages-origins": [
{
"sha256": "acfd49527fb8be1135feb424b68f6c46779ba146d8372d276eac1735770d6e5a",
"id": "IN-MAL-2026-009613",
"import_time": "2026-07-10T15:23:37.089962337Z",
"versions": [
"99.9.0"
],
"modified_time": "2026-07-10T15:19:04Z",
"source": "amazon-inspector"
}
]
}{
"package_integrity": [
{
"filename": "rtc-integration-frontend-sdk-99.9.0.tgz",
"hashes": {
"sha512_sri": "sha512-MEOD/3oi54N/eBIYl1cKr1JVeYSxfar5FM9hTZ1Ao02mB/74u0bxKmAmdndTwAXE8daE5QykjLC4zn77T1/7dA==",
"sha1": "2719d63f9ab0669a231a41e9ef356b3e632bdb14"
}
}
],
"evidence_files": [
{
"sha256": "a3939a87a0d561a005f247c5d671c1740860b801962c948bcb7c653e0d226eba",
"tlsh": "4c41424e65e27a300e1b1894456b10037357902b7e1cfdd0bf9e81440fa95b8da73bf5",
"path": "index.js"
}
]
}
[
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
}
]
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/rtc-integration-frontend-sdk/MAL-2026-10129.json"