MAL-2026-4252

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@43uh3ig43/telemetry-client/MAL-2026-4252.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-4252
Published
2026-05-22T06:28:38Z
Modified
2026-05-26T06:01:51.171040522Z
Summary
Malicious code in @43uh3ig43/telemetry-client (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (37d4a096b834c0d9acdddefee09b0c6cb4d8c6f68513b2ebb4ec88424f491e89)

On npm install, the package's preinstall, install, and postinstall lifecycle hooks all invoke telemetry.js, which collects host metadata (OS, architecture, Node version, pid) and CI-provider identification (probing GITHUBACTIONS, AZUREDEVOPS, JENKINS_HOME environment variables), hex-encodes the JSON payload, and exfiltrates it via DNS lookups to subdomains of d87vcrdfokaufbs0qf903rg6tp9to7jpe.oast.pro — a Project Discovery interactsh out-of-band server. The exfil destination is split-string concatenated at telemetry.js:15 ("d87vcrdfokaufbs0"+"qf903rg6tp9to7jpe"+"."+"oa"+"st"+"."+"pro") specifically to evade naive static grep. The package's user-facing index.js is a stub that only logs a string; the real behavior is the install-time beacon. Combined with the random-looking scope, anomalously high version (99.0.1), and UNLICENSED metadata, this is the canonical fingerprint of a dependency-confusion / supply-chain recon probe — designed to trigger from corporate build systems whose internal package names collide with this scope and to phone home with enough host context to identify the victim organization.

Source: ossf-package-analysis (bf448f47154495a6c9e04750e66ab6c67cbcc98809f05d7d4d97c297461d3862)

The OpenSSF Package Analysis project identified '@43uh3ig43/telemetry-client' @ 99.0.1 (npm) as malicious.

It is considered malicious because:

  • The package communicates with a domain associated with malicious activity.
Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "99.0.1"
            ],
            "import_time": "2026-05-22T07:48:02.178676929Z",
            "modified_time": "2026-05-22T07:05:50Z",
            "sha256": "bf448f47154495a6c9e04750e66ab6c67cbcc98809f05d7d4d97c297461d3862",
            "source": "ossf-package-analysis"
        },
        {
            "versions": [
                "99.0.1"
            ],
            "import_time": "2026-05-26T05:52:02.198612438Z",
            "modified_time": "2026-05-22T06:28:39Z",
            "id": "IN-MAL-2026-004152",
            "sha256": "2cfd4ae6b32f9425af323ba62839f08fdf413cfe955a027662171781ba0f30ed",
            "source": "amazon-inspector"
        },
        {
            "versions": [
                "99.0.1"
            ],
            "import_time": "2026-05-26T05:52:02.093742844Z",
            "modified_time": "2026-05-22T06:28:38Z",
            "id": "IN-MAL-2026-004151",
            "sha256": "37d4a096b834c0d9acdddefee09b0c6cb4d8c6f68513b2ebb4ec88424f491e89",
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / @43uh3ig43/telemetry-client

Package

Name
@43uh3ig43/telemetry-client
View open source insights on deps.dev
Purl
pkg:npm/%4043uh3ig43%2Ftelemetry-client

Affected ranges

Affected versions

99.*
99.0.1

Database specific

source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@43uh3ig43/telemetry-client/MAL-2026-4252.json"
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]
indicators
{
    "domains": [
        "p4.77645f68617368223a302c22706964223a32337d.te1c.d87vcrdfokaufbs0qf903rg6tp9to7jpe.oast.pro",
        "k.te1c.d87vcrdfokaufbs0qf903rg6tp9to7jpe.oast.pro",
        "p4.77645f68617368223a302c22706964223a33347d.te1c.d87vcrdfokaufbs0qf903rg6tp9to7jpe.oast.pro",
        "p1.227473223a313737393433313238373439372c226f73223a22.te1c.d87vcrdfokaufbs0qf903rg6tp9to7jpe.oast.pro",
        "p4.77645f68617368223a302c22706964223a34357d.te1c.d87vcrdfokaufbs0qf903rg6tp9to7jpe.oast.pro",
        "c.te1c.d87vcrdfokaufbs0qf903rg6tp9to7jpe.oast.pro",
        "p0.7b22736368656d61223a312c22626964223a2274653163222c.te1c.d87vcrdfokaufbs0qf903rg6tp9to7jpe.oast.pro",
        "p3.696d65223a227631382e32302e38222c226369223a302c2263.te1c.d87vcrdfokaufbs0qf903rg6tp9to7jpe.oast.pro",
        "p1.227473223a313737393433313238353330392c226f73223a22.te1c.d87vcrdfokaufbs0qf903rg6tp9to7jpe.oast.pro",
        "p1.227473223a313737393433313238323430332c226f73223a22.te1c.d87vcrdfokaufbs0qf903rg6tp9to7jpe.oast.pro",
        "p2.6c696e7578222c2261726368223a22783634222c2272756e74.te1c.d87vcrdfokaufbs0qf903rg6tp9to7jpe.oast.pro"
    ],
    "package_integrity": [
        {
            "filename": "telemetry-client-99.0.1.tgz",
            "hashes": {
                "sha1": "72a3615cd15ac27c6d907f0bbb51b191efcca869",
                "sha512_sri": "sha512-rpbkCihROyW2XeGlckpK3kUko//kxw8dDFVNajGSeCsleJ/eAGoCCIVbkvZbbISApiegfHXvXoGlMrBjctmaDQ=="
            }
        }
    ],
    "evidence_files": [
        {
            "path": "telemetry.js",
            "sha256": "612e8a1549cd4dea5400ed9375aebc9d3d630e2fcc4b681750dbec489de5a748",
            "tlsh": "1b4174ae59e8312911722468f81f4b41a1b7e2231e34f995f89bc3b41fe19bc11f86f4"
        },
        {
            "path": "package.json",
            "sha256": "53003d2639c4e3cbbf263d6127bee2a04e3eac152fbb227162b96595d86cb0c4",
            "tlsh": "4df08b386e2649372dd127a3da7744c1b37a0d770509380c2b83060d8a8e52f25ff32e"
        }
    ]
}