MAL-2026-10129

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/rtc-integration-frontend-sdk/MAL-2026-10129.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10129
Published
2026-07-10T15:19:04Z
Modified
2026-07-10T15:32:11.581723478Z
Summary
Malicious code in rtc-integration-frontend-sdk (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (acfd49527fb8be1135feb424b68f6c46779ba146d8372d276eac1735770d6e5a)

rtc-integration-frontend-sdk@99.9.0 registers a postinstall lifecycle hook ("postinstall": "node index.js") that fires automatically on npm install. index.js collects installer host reconnaissance — os.hostname(), userInfo().username, platform/arch, local network interface addresses, the public IP resolved via a call to https://api.ipify.org, the current working directory, and the package name — and POSTs the collected data to a hardcoded Discord webhook at discord.com/api/webhooks/. The package name and 99.9.0 version shape are consistent with a typosquat/version-bump lure; installing the package causes unconditional install-time exfiltration of host identifiers to an attacker-controlled endpoint.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "acfd49527fb8be1135feb424b68f6c46779ba146d8372d276eac1735770d6e5a",
            "id": "IN-MAL-2026-009613",
            "import_time": "2026-07-10T15:23:37.089962337Z",
            "versions": [
                "99.9.0"
            ],
            "modified_time": "2026-07-10T15:19:04Z",
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / rtc-integration-frontend-sdk

Package

Name
rtc-integration-frontend-sdk
View open source insights on deps.dev
Purl
pkg:npm/rtc-integration-frontend-sdk

Affected ranges

Affected versions

99.*
99.9.0

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "rtc-integration-frontend-sdk-99.9.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-MEOD/3oi54N/eBIYl1cKr1JVeYSxfar5FM9hTZ1Ao02mB/74u0bxKmAmdndTwAXE8daE5QykjLC4zn77T1/7dA==",
                "sha1": "2719d63f9ab0669a231a41e9ef356b3e632bdb14"
            }
        }
    ],
    "evidence_files": [
        {
            "sha256": "a3939a87a0d561a005f247c5d671c1740860b801962c948bcb7c653e0d226eba",
            "tlsh": "4c41424e65e27a300e1b1894456b10037357902b7e1cfdd0bf9e81440fa95b8da73bf5",
            "path": "index.js"
        }
    ]
}
cwes
[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/rtc-integration-frontend-sdk/MAL-2026-10129.json"