-= Per source details. Do not edit below this line.=-
On npm install, the package's preinstall, install, and postinstall lifecycle hooks all invoke telemetry.js, which collects host metadata (OS, architecture, Node version, pid) and CI-provider identification (probing GITHUBACTIONS, AZUREDEVOPS, JENKINS_HOME environment variables), hex-encodes the JSON payload, and exfiltrates it via DNS lookups to subdomains of d87vcrdfokaufbs0qf903rg6tp9to7jpe.oast.pro — a Project Discovery interactsh out-of-band server. The exfil destination is split-string concatenated at telemetry.js:15 ("d87vcrdfokaufbs0"+"qf903rg6tp9to7jpe"+"."+"oa"+"st"+"."+"pro") specifically to evade naive static grep. The package's user-facing index.js is a stub that only logs a string; the real behavior is the install-time beacon. Combined with the random-looking scope, anomalously high version (99.0.1), and UNLICENSED metadata, this is the canonical fingerprint of a dependency-confusion / supply-chain recon probe — designed to trigger from corporate build systems whose internal package names collide with this scope and to phone home with enough host context to identify the victim organization.
The OpenSSF Package Analysis project identified '@43uh3ig43/telemetry-client' @ 99.0.1 (npm) as malicious.
It is considered malicious because:
{
"malicious-packages-origins": [
{
"versions": [
"99.0.1"
],
"import_time": "2026-05-22T07:48:02.178676929Z",
"modified_time": "2026-05-22T07:05:50Z",
"sha256": "bf448f47154495a6c9e04750e66ab6c67cbcc98809f05d7d4d97c297461d3862",
"source": "ossf-package-analysis"
},
{
"versions": [
"99.0.1"
],
"import_time": "2026-05-26T05:52:02.198612438Z",
"modified_time": "2026-05-22T06:28:39Z",
"id": "IN-MAL-2026-004152",
"sha256": "2cfd4ae6b32f9425af323ba62839f08fdf413cfe955a027662171781ba0f30ed",
"source": "amazon-inspector"
},
{
"versions": [
"99.0.1"
],
"import_time": "2026-05-26T05:52:02.093742844Z",
"modified_time": "2026-05-22T06:28:38Z",
"id": "IN-MAL-2026-004151",
"sha256": "37d4a096b834c0d9acdddefee09b0c6cb4d8c6f68513b2ebb4ec88424f491e89",
"source": "amazon-inspector"
}
]
}"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@43uh3ig43/telemetry-client/MAL-2026-4252.json"
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]
{
"domains": [
"p4.77645f68617368223a302c22706964223a32337d.te1c.d87vcrdfokaufbs0qf903rg6tp9to7jpe.oast.pro",
"k.te1c.d87vcrdfokaufbs0qf903rg6tp9to7jpe.oast.pro",
"p4.77645f68617368223a302c22706964223a33347d.te1c.d87vcrdfokaufbs0qf903rg6tp9to7jpe.oast.pro",
"p1.227473223a313737393433313238373439372c226f73223a22.te1c.d87vcrdfokaufbs0qf903rg6tp9to7jpe.oast.pro",
"p4.77645f68617368223a302c22706964223a34357d.te1c.d87vcrdfokaufbs0qf903rg6tp9to7jpe.oast.pro",
"c.te1c.d87vcrdfokaufbs0qf903rg6tp9to7jpe.oast.pro",
"p0.7b22736368656d61223a312c22626964223a2274653163222c.te1c.d87vcrdfokaufbs0qf903rg6tp9to7jpe.oast.pro",
"p3.696d65223a227631382e32302e38222c226369223a302c2263.te1c.d87vcrdfokaufbs0qf903rg6tp9to7jpe.oast.pro",
"p1.227473223a313737393433313238353330392c226f73223a22.te1c.d87vcrdfokaufbs0qf903rg6tp9to7jpe.oast.pro",
"p1.227473223a313737393433313238323430332c226f73223a22.te1c.d87vcrdfokaufbs0qf903rg6tp9to7jpe.oast.pro",
"p2.6c696e7578222c2261726368223a22783634222c2272756e74.te1c.d87vcrdfokaufbs0qf903rg6tp9to7jpe.oast.pro"
],
"package_integrity": [
{
"filename": "telemetry-client-99.0.1.tgz",
"hashes": {
"sha1": "72a3615cd15ac27c6d907f0bbb51b191efcca869",
"sha512_sri": "sha512-rpbkCihROyW2XeGlckpK3kUko//kxw8dDFVNajGSeCsleJ/eAGoCCIVbkvZbbISApiegfHXvXoGlMrBjctmaDQ=="
}
}
],
"evidence_files": [
{
"path": "telemetry.js",
"sha256": "612e8a1549cd4dea5400ed9375aebc9d3d630e2fcc4b681750dbec489de5a748",
"tlsh": "1b4174ae59e8312911722468f81f4b41a1b7e2231e34f995f89bc3b41fe19bc11f86f4"
},
{
"path": "package.json",
"sha256": "53003d2639c4e3cbbf263d6127bee2a04e3eac152fbb227162b96595d86cb0c4",
"tlsh": "4df08b386e2649372dd127a3da7744c1b37a0d770509380c2b83060d8a8e52f25ff32e"
}
]
}