MAL-2026-4688

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/tempo-shared-modules/MAL-2026-4688.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4688

Published

2026-05-25T13:57:56Z

Modified

2026-05-26T06:02:59.505984702Z

Summary

Malicious code in tempo-shared-modules (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (bc05637e4f67c7a00ac3b790680f46174243df9c2740a161a029d4b266a79839)

On npm install, the preinstall script poc.js collects host identity (hostname, username, OS/platform), network configuration (ipconfig / ip a / resolv.conf), git remote, the parent project's package.json, CI configuration files (.gitlab-ci.yml,.github/workflows, Jenkinsfile, azure-pipelines.yml), and bulk-scrapes process.env for any variable name matching TOKEN, AWS, AZURE, NPM, GITHUB, GITLAB, CI_, JENKINS, BUILD, or WALMART together with their values. The collected payload is POSTed over HTTPS to the hardcoded interactsh OAST endpoint d8a5d9pon5bugoc35cngp9hcregcqyezu.oast.me. The package is published at version 99.0.2 on the public npm registry under a name designed to be resolved by mistake instead of an internal @livingdesign/react private package — the canonical dependency-confusion shape. The package's own description self-labels it as a Walmart HackerOne PoC, but it is publicly installable and any non-Walmart installer that resolves it is harmed: their CI tokens, cloud credentials, and pipeline configuration are sent to a third-party OAST callback host. Any one of (preinstall env-credential scrape, hardcoded OAST exfil endpoint, dependency-confusion publication shape) is independently sufficient to block.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-004662",
            "versions": [
                "99.0.0"
            ],
            "sha256": "20b9b8ffa86b1c20c57373cb838ffa8cf2ce24e3252a3743447f558f6735ce80",
            "source": "amazon-inspector",
            "modified_time": "2026-05-25T13:57:56Z",
            "import_time": "2026-05-26T05:53:02.582660026Z"
        },
        {
            "id": "IN-MAL-2026-004669",
            "versions": [
                "99.0.1"
            ],
            "sha256": "48eb6cac999b06cb5702ab9a8c3331203c4ff1dfaf7b731b787674591c3fdab5",
            "source": "amazon-inspector",
            "modified_time": "2026-05-25T14:04:49Z",
            "import_time": "2026-05-26T05:53:03.315680949Z"
        },
        {
            "id": "IN-MAL-2026-004679",
            "import_time": "2026-05-26T05:53:04.475585589Z",
            "sha256": "70f130e6b964b09838d87156654512b8d6a5aa42b7628b895a5b838abfcdccbb",
            "source": "amazon-inspector",
            "modified_time": "2026-05-25T14:09:58Z",
            "versions": [
                "99.0.2"
            ]
        },
        {
            "id": "IN-MAL-2026-004668",
            "versions": [
                "99.0.1"
            ],
            "sha256": "91413a893d29a69728f489d3f1fe7258b54917dcbbb844dea20b6c96300df198",
            "source": "amazon-inspector",
            "modified_time": "2026-05-25T14:04:49Z",
            "import_time": "2026-05-26T05:53:03.216923665Z"
        },
        {
            "id": "IN-MAL-2026-004678",
            "versions": [
                "99.0.2"
            ],
            "sha256": "bc05637e4f67c7a00ac3b790680f46174243df9c2740a161a029d4b266a79839",
            "source": "amazon-inspector",
            "modified_time": "2026-05-25T14:09:58Z",
            "import_time": "2026-05-26T05:53:04.354840767Z"
        },
        {
            "id": "IN-MAL-2026-004661",
            "versions": [
                "99.0.0"
            ],
            "sha256": "3f014249f0e3b0768728d347f0d61c96c8e400fc3851c8dcf75c8528cae7e285",
            "source": "amazon-inspector",
            "modified_time": "2026-05-25T13:57:56Z",
            "import_time": "2026-05-26T05:53:02.470346532Z"
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / tempo-shared-modules

Package

Name: tempo-shared-modules; View open source insights on deps.dev
Purl: pkg:npm/tempo-shared-modules

Affected ranges

Affected versions

99.*

99.0.0

99.0.1

99.0.2

Database specific

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

indicators

{
    "evidence_files": [
        {
            "path": "poc.js",
            "sha256": "ced5e45d4fa183c6b96b5d17b299b541ccc936f7fcd3c1eff70ef9d782872ea2",
            "tlsh": "033165d619f964b036a6f6c0b0d6ad515767e333b54af8e8218c0a8163cf9f141f92e4"
        },
        {
            "path": "package.json",
            "sha256": "aa6a85c1051710b1122650fe43acc5f6b8f478cb5f10093e90a3e108e5719fff",
            "tlsh": "1ae07d78186414231ad8c3fb65b6444ba128cd1b51186c1d0797348c42afb7301bfb5d"
        }
    ],
    "package_integrity": [
        {
            "filename": "tempo-shared-modules-99.0.1.tgz",
            "hashes": {
                "sha512_sri": "sha512-BNXzhlXmOUYjtRVgm8E87767lJaNlwh2Xqd+udf6ZrfiWG4Mmxhn5v3bSYj/1TU6hafQiGpHigolNuPCLoBvwA==",
                "sha1": "97afab8d200fb02d6cf83661daf0a577a2ccb3db"
            }
        }
    ],
    "domains": [
        "tempo-shared-modules-7363616e2d38623063656561376162.d8a56vpon5budaeafq00tsyj88aqd5m7p.oast.pro",
        "d8a56vpon5budaeafq00tsyj88aqd5m7p.oast.pro"
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/tempo-shared-modules/MAL-2026-4688.json"