MAL-2026-10704
Malicious code in @across-toolkit/typescript-config (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (5580d26d1829c9faf6465962431399aee9804c8ed1264274b30b9ce42f274bd9) Package impersonates the across-protocol organization (published as @across-toolkit/typescript-config@99.0.0, a high-version dependency-confusion shape) and ships two postinstall stealer scripts that run automatically on npm install. postinstall.js and eslint-config/postinstall.js read installer-owned secrets from ~/.aws/credentials, ~/.aws/config, ~/.ssh/id_rsa, ~/.ssh/id_ed25519, ~/.npmrc, ~/.gitconfig,.env files, /etc/environment, /proc/1/environ, and gcloud application default credentials, and query cloud instance metadata services at http://metadata.google.internal/computeMetadata/v1/ (with the Metadata-Flavor: Google header) and http://169.254.169.254/ for IAM security credentials and OAuth tokens. The collected files, IMDS responses, and a base64-encoded copy of process.env (including NPM_TOKEN) are POSTed via https.request to two hardcoded webhook.site collectors (paths /a585f4ec-20f7-4bd1-bac7-f3e53799dc5f and /12b523e2-ee58-4598-8fe1-bbf1f3999550). The declared package purpose is a shared tsconfig; the network exfiltration and credential harvesting have no relation to that purpose.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for @across-toolkit/typescript-config (npm). Pin to a known-safe version or switch to an alternative.