MAL-2026-10704

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@across-toolkit/typescript-config/MAL-2026-10704.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10704
Published
2026-07-16T18:34:08Z
Modified
2026-07-16T19:19:52.973705439Z
Summary
Malicious code in @across-toolkit/typescript-config (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (5580d26d1829c9faf6465962431399aee9804c8ed1264274b30b9ce42f274bd9)

Package impersonates the across-protocol organization (published as @across-toolkit/typescript-config@99.0.0, a high-version dependency-confusion shape) and ships two postinstall stealer scripts that run automatically on npm install. postinstall.js and eslint-config/postinstall.js read installer-owned secrets from ~/.aws/credentials, ~/.aws/config, ~/.ssh/idrsa, ~/.ssh/ided25519, ~/.npmrc, ~/.gitconfig,.env files, /etc/environment, /proc/1/environ, and gcloud application default credentials, and query cloud instance metadata services at http://metadata.google.internal/computeMetadata/v1/ (with the Metadata-Flavor: Google header) and http://169.254.169.254/ for IAM security credentials and OAuth tokens. The collected files, IMDS responses, and a base64-encoded copy of process.env (including NPM_TOKEN) are POSTed via https.request to two hardcoded webhook.site collectors (paths /a585f4ec-20f7-4bd1-bac7-f3e53799dc5f and /12b523e2-ee58-4598-8fe1-bbf1f3999550). The declared package purpose is a shared tsconfig; the network exfiltration and credential harvesting have no relation to that purpose.

Database specific
{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-07-16T18:34:08Z",
            "sha256": "5580d26d1829c9faf6465962431399aee9804c8ed1264274b30b9ce42f274bd9",
            "versions": [
                "99.0.0"
            ],
            "import_time": "2026-07-16T18:53:59.831945562Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-010699"
        },
        {
            "modified_time": "2026-07-16T18:34:25Z",
            "sha256": "76463f7af786d538f929fe7f1644dc5ec072a7a9bdf4e0c4b7482fa510450c44",
            "versions": [
                "99.0.1"
            ],
            "import_time": "2026-07-16T18:53:59.941024553Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-010701"
        }
    ]
}
References
Credits

Affected packages

npm / @across-toolkit/typescript-config

Package

Name
@across-toolkit/typescript-config
View open source insights on deps.dev
Purl
pkg:npm/%40across-toolkit/typescript-config

Affected ranges

Affected versions

99.*
99.0.0
99.0.1

Database specific

cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
indicators
{
    "package_integrity": [
        {
            "filename": "typescript-config-99.0.0.tgz",
            "hashes": {
                "sha1": "e8e3e02115c42548b0b2b876f09b261de643b82e",
                "sha512_sri": "sha512-AtZBWRn1BrC1xu2NlhMQcSQcaQ4Sg3fSVc/T6ZGF7qs3lo5G504OlYoMfWFjwgxuXt7pcc04BjpmPHRLr/iJlw=="
            }
        }
    ],
    "evidence_files": [
        {
            "tlsh": "bd5183d42df2706816d3fa59e25fa805a127e10b7d06e9d4f9dc08200f9e52ca6b29dc",
            "sha256": "41f31f3699b60c7002b6957e89cac446dbd840b87bac4852f76a56a3a7e7a08b",
            "path": "postinstall.js"
        },
        {
            "tlsh": "e9311fe20aba162002d3f691d75f68206216e2677d0bf8c0fd5819524f5c62c87f2cfd",
            "sha256": "236544b401ec5b4c50544816f0a4a577fc2c8a08f7bf490ff8386ca19f92bdd3",
            "path": "eslint-config/postinstall.js"
        },
        {
            "tlsh": "49e022158e268e7368c48e578833421bfe394f9b1469ac0c36e7b2340b2d9375e3620d",
            "sha256": "250de4cf58511ed5a60b02b297584a71ae11718252574c1599c95e9fd8552a0b",
            "path": "package.json"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@across-toolkit/typescript-config/MAL-2026-10704.json"