OSV Malicious Advisory
scanned 14h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10704 confirms this npm version as malicious. Package impersonates the across-protocol organization (published as @across-toolkit/typescript-config@99.0.0, a high-version dependency-confusion shape) and ships two postinstall stealer scripts that run automatically on npm install. postinstall.js and eslint-config/postinstall.js read installer-owned secrets from ~/.aws/credentials, ~/.aws/config, ~/.ssh/id_rsa, ~/.ssh/id_ed25519, ~/.npmrc, ~/.gitconfig,.env files,...
Advisory
MAL-2026-10704
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in @across-toolkit/typescript-config (npm)
Details
Package impersonates the across-protocol organization (published as @across-toolkit/typescript-config@99.0.0, a high-version dependency-confusion shape) and ships two postinstall stealer scripts that run automatically on npm install. postinstall.js and eslint-config/postinstall.js read installer-owned secrets from ~/.aws/credentials, ~/.aws/config, ~/.ssh/id_rsa, ~/.ssh/id_ed25519, ~/.npmrc, ~/.gitconfig,.env files, /etc/environment, /proc/1/environ, and gcloud application default credentials, and query cloud instance metadata services at http://metadata.google.internal/computeMetadata/v1/ (with the Metadata-Flavor: Google header) and http://169.254.169.254/ for IAM security credentials and OAuth tokens. The collected files, IMDS responses, and a base64-encoded copy of process.env (including NPM_TOKEN) are POSTed via https.request to two hardcoded webhook.site collectors (paths /a585f4ec-20f7-4bd1-bac7-f3e53799dc5f and /12b523e2-ee58-4598-8fe1-bbf1f3999550). The declared package purpose is a shared tsconfig; the network exfiltration and credential harvesting have no relation to that purpose.
Decision reason
OpenSSF Malicious Packages via OSV confirms @across-toolkit/typescript-config@99.0.0 as malicious (MAL-2026-10704): Malicious code in @across-toolkit/typescript-config (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory