-= Per source details. Do not edit below this line.=-
Package impersonates the across-protocol organization (published as @across-toolkit/typescript-config@99.0.0, a high-version dependency-confusion shape) and ships two postinstall stealer scripts that run automatically on npm install. postinstall.js and eslint-config/postinstall.js read installer-owned secrets from ~/.aws/credentials, ~/.aws/config, ~/.ssh/idrsa, ~/.ssh/ided25519, ~/.npmrc, ~/.gitconfig,.env files, /etc/environment, /proc/1/environ, and gcloud application default credentials, and query cloud instance metadata services at http://metadata.google.internal/computeMetadata/v1/ (with the Metadata-Flavor: Google header) and http://169.254.169.254/ for IAM security credentials and OAuth tokens. The collected files, IMDS responses, and a base64-encoded copy of process.env (including NPM_TOKEN) are POSTed via https.request to two hardcoded webhook.site collectors (paths /a585f4ec-20f7-4bd1-bac7-f3e53799dc5f and /12b523e2-ee58-4598-8fe1-bbf1f3999550). The declared package purpose is a shared tsconfig; the network exfiltration and credential harvesting have no relation to that purpose.
{
"malicious-packages-origins": [
{
"modified_time": "2026-07-16T18:34:08Z",
"sha256": "5580d26d1829c9faf6465962431399aee9804c8ed1264274b30b9ce42f274bd9",
"versions": [
"99.0.0"
],
"import_time": "2026-07-16T18:53:59.831945562Z",
"source": "amazon-inspector",
"id": "IN-MAL-2026-010699"
},
{
"modified_time": "2026-07-16T18:34:25Z",
"sha256": "76463f7af786d538f929fe7f1644dc5ec072a7a9bdf4e0c4b7482fa510450c44",
"versions": [
"99.0.1"
],
"import_time": "2026-07-16T18:53:59.941024553Z",
"source": "amazon-inspector",
"id": "IN-MAL-2026-010701"
}
]
}[
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
}
]
{
"package_integrity": [
{
"filename": "typescript-config-99.0.0.tgz",
"hashes": {
"sha1": "e8e3e02115c42548b0b2b876f09b261de643b82e",
"sha512_sri": "sha512-AtZBWRn1BrC1xu2NlhMQcSQcaQ4Sg3fSVc/T6ZGF7qs3lo5G504OlYoMfWFjwgxuXt7pcc04BjpmPHRLr/iJlw=="
}
}
],
"evidence_files": [
{
"tlsh": "bd5183d42df2706816d3fa59e25fa805a127e10b7d06e9d4f9dc08200f9e52ca6b29dc",
"sha256": "41f31f3699b60c7002b6957e89cac446dbd840b87bac4852f76a56a3a7e7a08b",
"path": "postinstall.js"
},
{
"tlsh": "e9311fe20aba162002d3f691d75f68206216e2677d0bf8c0fd5819524f5c62c87f2cfd",
"sha256": "236544b401ec5b4c50544816f0a4a577fc2c8a08f7bf490ff8386ca19f92bdd3",
"path": "eslint-config/postinstall.js"
},
{
"tlsh": "49e022158e268e7368c48e578833421bfe394f9b1469ac0c36e7b2340b2d9375e3620d",
"sha256": "250de4cf58511ed5a60b02b297584a71ae11718252574c1599c95e9fd8552a0b",
"path": "package.json"
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@across-toolkit/typescript-config/MAL-2026-10704.json"