MAL-2026-4641

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/platform-tempo/MAL-2026-4641.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-4641
Published
2026-05-25T14:15:52Z
Modified
2026-05-26T06:02:49.171729486Z
Summary
Malicious code in platform-tempo (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (6d1c69e098c3ebeb2876b746523bea0220034b429f58e0a55683f0ee2c8776cd)

platform-tempo@99.0.1 declares a preinstall hook that runs poc.js on every npm install. The script collects host identity (os.hostname(), whoami /all / id, ipconfig / ip a), the parent project's package.json, git remotes, CI configuration files (.gitlab-ci.yml, .github/workflows/*, Jenkinsfile, azure-pipelines.yml), and a curated dump of environment variables matching TOKEN/AWS/AZURE/NPM/GITHUB/GITLAB/CI patterns. The collected data is HTTPS POSTed to a hardcoded interactsh OAST domain (d8a5d9pon5bugoc35cngp9hcregcqyezu.oast.me) with the package name as the path, plus a DNS beacon to the same host. The package name platform-tempo combined with version 99.0.1 is the canonical dependency-confusion shape — designed to be auto-resolved by an internal package resolver in preference to a private package of the same name. Self-described bug bounty framing in the package description does not change the install-time impact on any third party whose resolver picks up this public name: their CI tokens, cloud credentials, and source-tree metadata are shipped to the attacker-controlled OAST endpoint.

Database specific 
{
    "malicious-packages-origins": [
        {
            "sha256": "6d1c69e098c3ebeb2876b746523bea0220034b429f58e0a55683f0ee2c8776cd",
            "import_time": "2026-05-26T05:53:04.964372908Z",
            "source": "amazon-inspector",
            "modified_time": "2026-05-25T14:15:52Z",
            "versions": [
                "99.0.1"
            ],
            "id": "IN-MAL-2026-004684"
        },
        {
            "sha256": "8044888825f16fece5bebc27183d2ee55938d631672343c0b50fd3a0550cad57",
            "id": "IN-MAL-2026-004685",
            "source": "amazon-inspector",
            "modified_time": "2026-05-25T14:15:52Z",
            "versions": [
                "99.0.1"
            ],
            "import_time": "2026-05-26T05:53:05.089700522Z"
        }
    ]
}
References
Credits

Affected packages

npm / platform-tempo

Package

Name
platform-tempo
View open source insights on deps.dev
Purl
pkg:npm/platform-tempo

Affected ranges

Affected versions

99.*
99.0.1

Database specific

source 
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/platform-tempo/MAL-2026-4641.json"
cwes 
[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]
indicators 
{
    "domains": [
        "platform-tempo-7363616e2d39323134653765316335.d8a5d9pon5bugoc35cngp9hcregcqyezu.oast.me",
        "d8a5d9pon5bugoc35cngp9hcregcqyezu.oast.me"
    ],
    "evidence_files": [
        {
            "sha256": "136ab46ea6423a9d7b9fffb0b287f3a2ae38bb43af03cda7c2b3b762b4a08681",
            "tlsh": "7371b79482fa1e3022aa7571b5cd000522d7d3933206f9d4798c1a915f9e4b482f67bd",
            "path": "poc.js"
        },
        {
            "sha256": "5d90a8ff451a82a001f26402727f428434c0b6cded835cf9873544865b4356bf",
            "tlsh": "1ce07d781524143317d8c3fe15f644479128cd0b5108ac1d4753348c43eeb63457fb5e",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "filename": "platform-tempo-99.0.1.tgz",
            "hashes": {
                "sha1": "f89bd38ac141997e97df67b3edfc040abbcce8c5",
                "sha512_sri": "sha512-LAnE1N6OAIB1GtxlhGbkX0dJOH8J1ZAtGR8wZSf2iMCHGa565sGRA6QUhx8ug4HlD6PgKSs0pAVQZMA6etOpdg=="
            }
        }
    ]
}