MAL-2026-4685

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/tempo-components/MAL-2026-4685.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4685

Published

2026-05-25T14:15:47Z

Modified

2026-05-26T06:02:58.847686879Z

Summary

Malicious code in tempo-components (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (6790e6e83af71238b9773ae49568f5374d094d23d1a7247ef4560d645ef64024)

The package contains a file (poc.js) that imports os, https, fs, and child_process; collects host identifiers including os.hostname(), os.platform(), and the output of whoami; and POSTs the data via https.request to an external endpoint. This is a classic system-reconnaissance and exfiltration shape with no benign interpretation for a package distributed under a 'components' name. Installing or loading this code on a build or developer machine causes host metadata and identity information to be transmitted off-host.

Database specific

{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-05-25T14:15:47Z",
            "versions": [
                "99.0.1"
            ],
            "sha256": "6790e6e83af71238b9773ae49568f5374d094d23d1a7247ef4560d645ef64024",
            "id": "IN-MAL-2026-004682",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:53:04.778599014Z"
        },
        {
            "modified_time": "2026-05-25T14:15:48Z",
            "versions": [
                "99.0.1"
            ],
            "sha256": "9f516fddd52133764a3ff124d5ec3f47b7327e7f6df709614b6040dc4eb35b3c",
            "id": "IN-MAL-2026-004683",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:53:04.869125864Z"
        }
    ]
}

References

https://www.npmjs.com/package/tempo-components/v/99.0.1

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / tempo-components

Package

Name: tempo-components; View open source insights on deps.dev
Purl: pkg:npm/tempo-components

Affected ranges

Affected versions

99.*

99.0.1

Database specific

indicators

{
    "domains": [
        "tempo-components-7363616e2d36313333363566633561.d8a5d9pon5bugoc35cngp9hcregcqyezu.oast.me",
        "d8a5d9pon5bugoc35cngp9hcregcqyezu.oast.me"
    ],
    "evidence_files": [
        {
            "sha256": "47b3f821e4bb957a801afa370619987e7535f8527cc245deb5e555e85eff58d5",
            "tlsh": "d671c7d482fa1e3022aa75b1b5cd040522d7d3933246f9d4798c1a919f9f8b482f67be",
            "path": "poc.js"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-Okl8VvweZsIzEMMpromguPoBh2Z7AX8BWdje0yBGlP5Blu0ske8NSFXoSRkjdBDoOgvSgcKJNHgdHTUH863Q0g==",
                "sha1": "1dd86abc7f3a1262803a2740f5ec3d5e36a20938"
            },
            "filename": "tempo-components-99.0.1.tgz"
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/tempo-components/MAL-2026-4685.json"

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]