MAL-2026-5707

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ttspc-server-sample/MAL-2026-5707.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-5707
Aliases
  • GHSA-55wh-p7q3-vh4p
Published
2026-06-12T19:03:04Z
Modified
2026-06-16T01:46:46.854244037Z
Summary
Malicious code in ttspc-server-sample (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (98ea79d9fce12a87d3949dc748617f8077a1ae0822fadab451c27d2c8a2feb9b)

ttspc-server-sample@99.9.0 declares postinstall: node index.js in package.json, so on npm install it automatically executes index.js. The script collects the installer's hostname, username, current working directory, network interface IPs/MACs, OS info, the presence of env vars including credential-shaped names (APPKEY/APPSECRET/etc.), and the full process list (ps aux on Unix, tasklist /V on Windows), then HTTP POSTs the JSON payload to a hardcoded Burp Collaborator endpoint at http://dduqpvg687wohv3ymaiaa3j2etks8swh.oastify.com (with a secondary reference to http://your-id.burpcollaborator.net). The package self-labels via X-PoC-Type: dependency-confusion / X-PoC-Package: ttspc-server-sample headers and uses an inflated 99.9.0 version designed to win semver resolution against a victim org's private internal package of the same name. Even framed as a PoC, the install-time exfiltration of host identifiers, internal IP addresses, credential-variable names, and running process inventory to an attacker-controlled OAST host is a real supply-chain attack against any installer that resolves this public package instead of the intended private one.

Source: ghsa-malware (4ddedc3893550000dcaca1eb0331eba8bcce1a131d2da11912a184d7dfd5ab1b)

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Source: ossf-package-analysis (91d0c4ae89a4f630e59ca4960fdff3832c8fa9d4b7dbbdf148abe39b260c7ec8)

The OpenSSF Package Analysis project identified 'ttspc-server-sample' @ 99.9.0 (npm) as malicious.

It is considered malicious because:

  • The package communicates with a domain associated with malicious activity.
Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "99.9.0"
            ],
            "sha256": "42431437432238c5e538914744de6f640582830a717f2625f3dac00be71c3b62",
            "source": "amazon-inspector",
            "modified_time": "2026-06-12T19:03:05Z",
            "import_time": "2026-06-12T19:43:39.174310688Z",
            "id": "IN-MAL-2026-005842"
        },
        {
            "versions": [
                "99.9.0"
            ],
            "sha256": "91d0c4ae89a4f630e59ca4960fdff3832c8fa9d4b7dbbdf148abe39b260c7ec8",
            "modified_time": "2026-06-12T19:14:47Z",
            "source": "ossf-package-analysis",
            "import_time": "2026-06-12T19:43:30.193877277Z"
        },
        {
            "versions": [
                "99.9.0"
            ],
            "sha256": "98ea79d9fce12a87d3949dc748617f8077a1ae0822fadab451c27d2c8a2feb9b",
            "modified_time": "2026-06-12T19:03:04Z",
            "source": "amazon-inspector",
            "import_time": "2026-06-12T19:43:39.07759391Z",
            "id": "IN-MAL-2026-005841"
        },
        {
            "versions": [
                "99.9.1"
            ],
            "sha256": "7451a014464b355b6b945397abdc1081ba51549a6bfebfc5f08af39c08569dca",
            "source": "amazon-inspector",
            "modified_time": "2026-06-13T20:11:31Z",
            "import_time": "2026-06-13T20:33:18.289244585Z",
            "id": "IN-MAL-2026-006366"
        },
        {
            "versions": [
                "9.0.0"
            ],
            "sha256": "727d73fd4a71db0d5b2fba96d6085b8def58fb909a134e9be7bdbaf7b394bec4",
            "modified_time": "2026-06-13T21:05:01Z",
            "source": "amazon-inspector",
            "import_time": "2026-06-13T21:32:33.309743609Z",
            "id": "IN-MAL-2026-006400"
        },
        {
            "versions": [
                "9.0.0"
            ],
            "sha256": "9b214d1b9a291a628667a867b068d68548fc044f7e266165281a13a3a6025094",
            "modified_time": "2026-06-13T21:05:01Z",
            "source": "amazon-inspector",
            "import_time": "2026-06-13T21:32:33.281359799Z",
            "id": "IN-MAL-2026-006399"
        },
        {
            "versions": [
                "99.9.2"
            ],
            "sha256": "7a1be6a8ad2c1e6af8537e8321638055dd58c672f1a6a8bc4c2aa9f41d638694",
            "source": "ossf-package-analysis",
            "modified_time": "2026-06-15T15:05:47Z",
            "import_time": "2026-06-15T15:30:16.193251569Z"
        },
        {
            "versions": [
                "99.9.3"
            ],
            "sha256": "e4c4e5e2644fd6776d7df1154b9b001f526d53e2e0665907cd47ebba3c81e8d2",
            "modified_time": "2026-06-15T15:05:57Z",
            "source": "ossf-package-analysis",
            "import_time": "2026-06-15T15:30:16.326726244Z"
        },
        {
            "versions": [
                "99.9.3"
            ],
            "sha256": "0472bd62425c0a5a5399e516f668ef57f3d6369e653078f032250c2912a04699",
            "modified_time": "2026-06-15T18:49:03Z",
            "source": "amazon-inspector",
            "import_time": "2026-06-15T18:54:56.912960053Z",
            "id": "IN-MAL-2026-006668"
        },
        {
            "versions": [
                "99.9.2"
            ],
            "sha256": "2e9458288128731bc5916563b387a87f5e62181bdba03f7b40a6e865c77cbe0e",
            "modified_time": "2026-06-15T18:48:55Z",
            "source": "amazon-inspector",
            "import_time": "2026-06-15T18:54:56.846918747Z",
            "id": "IN-MAL-2026-006667"
        },
        {
            "versions": [
                "99.9.3"
            ],
            "sha256": "98c59beaecd05e92aec10fbefe858d153e56e44a4a88148c85d766544f942830",
            "source": "amazon-inspector",
            "modified_time": "2026-06-15T18:49:04Z",
            "import_time": "2026-06-15T18:54:57.045554137Z",
            "id": "IN-MAL-2026-006669"
        },
        {
            "versions": [
                "99.9.2"
            ],
            "sha256": "ca56615e7ea600a7ccbe8e8c52b7568fd086b59e46db5b43b440cf38cfd7bfab",
            "source": "amazon-inspector",
            "modified_time": "2026-06-15T18:48:54Z",
            "import_time": "2026-06-15T18:54:56.809860419Z",
            "id": "IN-MAL-2026-006666"
        },
        {
            "sha256": "4ddedc3893550000dcaca1eb0331eba8bcce1a131d2da11912a184d7dfd5ab1b",
            "ranges": [
                {
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ],
                    "type": "SEMVER"
                }
            ],
            "modified_time": "2026-06-16T00:05:31Z",
            "source": "ghsa-malware",
            "import_time": "2026-06-16T01:31:34.703454598Z",
            "id": "GHSA-55wh-p7q3-vh4p"
        }
    ]
}
References
Credits

Affected packages

npm / ttspc-server-sample

Package

Name
ttspc-server-sample
View open source insights on deps.dev
Purl
pkg:npm/ttspc-server-sample

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

9.*
9.0.0
99.*
99.9.0
99.9.1
99.9.2
99.9.3

Database specific

indicators
{
    "ips": [
        "54.77.139.23",
        "104.16.11.34",
        "3.248.33.252",
        "10.1.0.2",
        "104.16.0.34"
    ],
    "evidence_files": [
        {
            "sha256": "ba52629bd381bb56bf30901699e5b3b142bc251cc2f9993b9e8da365a11aa246",
            "path": "index.js",
            "tlsh": "01c150b501f2a62536e6f65d9a0ba111ba1cf0033e09f9a57d9cb3511fcd514c3b2af8"
        }
    ],
    "package_integrity": [
        {
            "filename": "ttspc-server-sample-99.9.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-tSf1z5UOp7nM/H1rgzsUgX7u7HvYQRowqAeAnH3o8BDnEEYwsgP4xdGY4QwBi7S6ipOIK/neEBeO9wyxhJiLeg==",
                "sha1": "b0f881b131d100bce0b13f4b15bec64cc03bc388"
            }
        }
    ],
    "domains": [
        "dduqpvg687wohv3ymaiaa3j2etks8swh.oastify.com"
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ttspc-server-sample/MAL-2026-5707.json"
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]