OSV Malicious Advisory
scanned 9d ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-5707 confirms this npm version as malicious. ttspc-server-sample@99.9.0 declares `postinstall: node index.js` in package.json, so on `npm install` it automatically executes index.js. The script collects the installer's hostname, username, current working directory, network interface IPs/MACs, OS info, the presence of env vars including credential-shaped names (APP_KEY/APP_SECRET/etc.), and the full process list (`ps aux` on Unix, `tasklist /V` on Windows),...
Advisory
MAL-2026-5707
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in ttspc-server-sample (npm)
Details
ttspc-server-sample@99.9.0 declares `postinstall: node index.js` in package.json, so on `npm install` it automatically executes index.js. The script collects the installer's hostname, username, current working directory, network interface IPs/MACs, OS info, the presence of env vars including credential-shaped names (APP_KEY/APP_SECRET/etc.), and the full process list (`ps aux` on Unix, `tasklist /V` on Windows), then HTTP POSTs the JSON payload to a hardcoded Burp Collaborator endpoint at http://dduqpvg687wohv3ymaiaa3j2etks8swh.oastify.com (with a secondary reference to http://your-id.burpcollaborator.net). The package self-labels via `X-PoC-Type: dependency-confusion` / `X-PoC-Package: ttspc-server-sample` headers and uses an inflated 99.9.0 version designed to win semver resolution against a victim org's private internal package of the same name. Even framed as a PoC, the install-time exfiltration of host identifiers, internal IP addresses, credential-variable names, and running process inventory to an attacker-controlled OAST host is a real supply-chain attack against any installer that resolves this public package instead of the intended private one.
## Source: ghsa-malware (4ddedc3893550000dcaca1eb0331eba8bcce1a131d2da11912a184d7dfd5ab1b) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
## Source: ossf-package-analysis (91d0c4ae89a4f630e59ca4960fdff3832c8fa9d4b7dbbdf148abe39b260c7ec8) The OpenSSF Package Analysis project identified 'ttspc-server-sample' @ 99.9.0 (npm) as malicious.
It is considered malicious because:
- The package communicates with a domain associated with malicious activity.
Decision reason
OpenSSF Malicious Packages via OSV confirms ttspc-server-sample@9.0.0 as malicious (MAL-2026-5707): Malicious code in ttspc-server-sample (npm)
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory