MAL-2026-5707
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ttspc-server-sample/MAL-2026-5707.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-5707
- Published
- 2026-06-12T19:03:04Z
- Modified
- 2026-06-12T20:01:57.779252310Z
- Summary
- Malicious code in ttspc-server-sample (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (98ea79d9fce12a87d3949dc748617f8077a1ae0822fadab451c27d2c8a2feb9b)
ttspc-server-sample@99.9.0 declares
postinstall: node index.jsin package.json, so onnpm installit automatically executes index.js. The script collects the installer's hostname, username, current working directory, network interface IPs/MACs, OS info, the presence of env vars including credential-shaped names (APPKEY/APPSECRET/etc.), and the full process list (ps auxon Unix,tasklist /Von Windows), then HTTP POSTs the JSON payload to a hardcoded Burp Collaborator endpoint at http://dduqpvg687wohv3ymaiaa3j2etks8swh.oastify.com (with a secondary reference to http://your-id.burpcollaborator.net). The package self-labels viaX-PoC-Type: dependency-confusion/X-PoC-Package: ttspc-server-sampleheaders and uses an inflated 99.9.0 version designed to win semver resolution against a victim org's private internal package of the same name. Even framed as a PoC, the install-time exfiltration of host identifiers, internal IP addresses, credential-variable names, and running process inventory to an attacker-controlled OAST host is a real supply-chain attack against any installer that resolves this public package instead of the intended private one.Source: ossf-package-analysis (91d0c4ae89a4f630e59ca4960fdff3832c8fa9d4b7dbbdf148abe39b260c7ec8)
The OpenSSF Package Analysis project identified 'ttspc-server-sample' @ 99.9.0 (npm) as malicious.
It is considered malicious because:
- The package communicates with a domain associated with malicious activity.
- Database specific
{ "malicious-packages-origins": [ { "id": "IN-MAL-2026-005842", "versions": [ "99.9.0" ], "sha256": "42431437432238c5e538914744de6f640582830a717f2625f3dac00be71c3b62", "source": "amazon-inspector", "modified_time": "2026-06-12T19:03:05Z", "import_time": "2026-06-12T19:43:39.174310688Z" }, { "versions": [ "99.9.0" ], "sha256": "91d0c4ae89a4f630e59ca4960fdff3832c8fa9d4b7dbbdf148abe39b260c7ec8", "source": "ossf-package-analysis", "modified_time": "2026-06-12T19:14:47Z", "import_time": "2026-06-12T19:43:30.193877277Z" }, { "id": "IN-MAL-2026-005841", "import_time": "2026-06-12T19:43:39.07759391Z", "sha256": "98ea79d9fce12a87d3949dc748617f8077a1ae0822fadab451c27d2c8a2feb9b", "source": "amazon-inspector", "modified_time": "2026-06-12T19:03:04Z", "versions": [ "99.9.0" ] } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
- OpenSSF: Package Analysis - FINDER
-
Affected packages
npm / ttspc-server-sample
Package
- Name
- ttspc-server-sample
- View open source insights on deps.dev
- Purl
- pkg:npm/ttspc-server-sample
Database specific
cwes
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]
indicators
{
"evidence_files": [
{
"path": "index.js",
"sha256": "ba52629bd381bb56bf30901699e5b3b142bc251cc2f9993b9e8da365a11aa246",
"tlsh": "01c150b501f2a62536e6f65d9a0ba111ba1cf0033e09f9a57d9cb3511fcd514c3b2af8"
}
],
"package_integrity": [
{
"filename": "ttspc-server-sample-99.9.0.tgz",
"hashes": {
"sha512_sri": "sha512-tSf1z5UOp7nM/H1rgzsUgX7u7HvYQRowqAeAnH3o8BDnEEYwsgP4xdGY4QwBi7S6ipOIK/neEBeO9wyxhJiLeg==",
"sha1": "b0f881b131d100bce0b13f4b15bec64cc03bc388"
}
}
],
"domains": [
"dduqpvg687wohv3ymaiaa3j2etks8swh.oastify.com"
]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ttspc-server-sample/MAL-2026-5707.json"