-= Per source details. Do not edit below this line.=-
ttspc-server-sample@99.9.0 declares postinstall: node index.js in package.json, so on npm install it automatically executes index.js. The script collects the installer's hostname, username, current working directory, network interface IPs/MACs, OS info, the presence of env vars including credential-shaped names (APPKEY/APPSECRET/etc.), and the full process list (ps aux on Unix, tasklist /V on Windows), then HTTP POSTs the JSON payload to a hardcoded Burp Collaborator endpoint at http://dduqpvg687wohv3ymaiaa3j2etks8swh.oastify.com (with a secondary reference to http://your-id.burpcollaborator.net). The package self-labels via X-PoC-Type: dependency-confusion / X-PoC-Package: ttspc-server-sample headers and uses an inflated 99.9.0 version designed to win semver resolution against a victim org's private internal package of the same name. Even framed as a PoC, the install-time exfiltration of host identifiers, internal IP addresses, credential-variable names, and running process inventory to an attacker-controlled OAST host is a real supply-chain attack against any installer that resolves this public package instead of the intended private one.
Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
The OpenSSF Package Analysis project identified 'ttspc-server-sample' @ 99.9.0 (npm) as malicious.
It is considered malicious because:
{
"malicious-packages-origins": [
{
"versions": [
"99.9.0"
],
"sha256": "42431437432238c5e538914744de6f640582830a717f2625f3dac00be71c3b62",
"source": "amazon-inspector",
"modified_time": "2026-06-12T19:03:05Z",
"import_time": "2026-06-12T19:43:39.174310688Z",
"id": "IN-MAL-2026-005842"
},
{
"versions": [
"99.9.0"
],
"sha256": "91d0c4ae89a4f630e59ca4960fdff3832c8fa9d4b7dbbdf148abe39b260c7ec8",
"modified_time": "2026-06-12T19:14:47Z",
"source": "ossf-package-analysis",
"import_time": "2026-06-12T19:43:30.193877277Z"
},
{
"versions": [
"99.9.0"
],
"sha256": "98ea79d9fce12a87d3949dc748617f8077a1ae0822fadab451c27d2c8a2feb9b",
"modified_time": "2026-06-12T19:03:04Z",
"source": "amazon-inspector",
"import_time": "2026-06-12T19:43:39.07759391Z",
"id": "IN-MAL-2026-005841"
},
{
"versions": [
"99.9.1"
],
"sha256": "7451a014464b355b6b945397abdc1081ba51549a6bfebfc5f08af39c08569dca",
"source": "amazon-inspector",
"modified_time": "2026-06-13T20:11:31Z",
"import_time": "2026-06-13T20:33:18.289244585Z",
"id": "IN-MAL-2026-006366"
},
{
"versions": [
"9.0.0"
],
"sha256": "727d73fd4a71db0d5b2fba96d6085b8def58fb909a134e9be7bdbaf7b394bec4",
"modified_time": "2026-06-13T21:05:01Z",
"source": "amazon-inspector",
"import_time": "2026-06-13T21:32:33.309743609Z",
"id": "IN-MAL-2026-006400"
},
{
"versions": [
"9.0.0"
],
"sha256": "9b214d1b9a291a628667a867b068d68548fc044f7e266165281a13a3a6025094",
"modified_time": "2026-06-13T21:05:01Z",
"source": "amazon-inspector",
"import_time": "2026-06-13T21:32:33.281359799Z",
"id": "IN-MAL-2026-006399"
},
{
"versions": [
"99.9.2"
],
"sha256": "7a1be6a8ad2c1e6af8537e8321638055dd58c672f1a6a8bc4c2aa9f41d638694",
"source": "ossf-package-analysis",
"modified_time": "2026-06-15T15:05:47Z",
"import_time": "2026-06-15T15:30:16.193251569Z"
},
{
"versions": [
"99.9.3"
],
"sha256": "e4c4e5e2644fd6776d7df1154b9b001f526d53e2e0665907cd47ebba3c81e8d2",
"modified_time": "2026-06-15T15:05:57Z",
"source": "ossf-package-analysis",
"import_time": "2026-06-15T15:30:16.326726244Z"
},
{
"versions": [
"99.9.3"
],
"sha256": "0472bd62425c0a5a5399e516f668ef57f3d6369e653078f032250c2912a04699",
"modified_time": "2026-06-15T18:49:03Z",
"source": "amazon-inspector",
"import_time": "2026-06-15T18:54:56.912960053Z",
"id": "IN-MAL-2026-006668"
},
{
"versions": [
"99.9.2"
],
"sha256": "2e9458288128731bc5916563b387a87f5e62181bdba03f7b40a6e865c77cbe0e",
"modified_time": "2026-06-15T18:48:55Z",
"source": "amazon-inspector",
"import_time": "2026-06-15T18:54:56.846918747Z",
"id": "IN-MAL-2026-006667"
},
{
"versions": [
"99.9.3"
],
"sha256": "98c59beaecd05e92aec10fbefe858d153e56e44a4a88148c85d766544f942830",
"source": "amazon-inspector",
"modified_time": "2026-06-15T18:49:04Z",
"import_time": "2026-06-15T18:54:57.045554137Z",
"id": "IN-MAL-2026-006669"
},
{
"versions": [
"99.9.2"
],
"sha256": "ca56615e7ea600a7ccbe8e8c52b7568fd086b59e46db5b43b440cf38cfd7bfab",
"source": "amazon-inspector",
"modified_time": "2026-06-15T18:48:54Z",
"import_time": "2026-06-15T18:54:56.809860419Z",
"id": "IN-MAL-2026-006666"
},
{
"sha256": "4ddedc3893550000dcaca1eb0331eba8bcce1a131d2da11912a184d7dfd5ab1b",
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "SEMVER"
}
],
"modified_time": "2026-06-16T00:05:31Z",
"source": "ghsa-malware",
"import_time": "2026-06-16T01:31:34.703454598Z",
"id": "GHSA-55wh-p7q3-vh4p"
}
]
}{
"ips": [
"54.77.139.23",
"104.16.11.34",
"3.248.33.252",
"10.1.0.2",
"104.16.0.34"
],
"evidence_files": [
{
"sha256": "ba52629bd381bb56bf30901699e5b3b142bc251cc2f9993b9e8da365a11aa246",
"path": "index.js",
"tlsh": "01c150b501f2a62536e6f65d9a0ba111ba1cf0033e09f9a57d9cb3511fcd514c3b2af8"
}
],
"package_integrity": [
{
"filename": "ttspc-server-sample-99.9.0.tgz",
"hashes": {
"sha512_sri": "sha512-tSf1z5UOp7nM/H1rgzsUgX7u7HvYQRowqAeAnH3o8BDnEEYwsgP4xdGY4QwBi7S6ipOIK/neEBeO9wyxhJiLeg==",
"sha1": "b0f881b131d100bce0b13f4b15bec64cc03bc388"
}
}
],
"domains": [
"dduqpvg687wohv3ymaiaa3j2etks8swh.oastify.com"
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ttspc-server-sample/MAL-2026-5707.json"
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]