VDB
KO

MAL-2026-4252

Malicious code in @43uh3ig43/telemetry-client (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (37d4a096b834c0d9acdddefee09b0c6cb4d8c6f68513b2ebb4ec88424f491e89) On npm install, the package's preinstall, install, and postinstall lifecycle hooks all invoke telemetry.js, which collects host metadata (OS, architecture, Node version, pid) and CI-provider identification (probing GITHUB_ACTIONS, AZURE_DEVOPS, JENKINS_HOME environment variables), hex-encodes the JSON payload, and exfiltrates it via DNS lookups to subdomains of d87vcrdfokaufbs0qf903rg6tp9to7jpe.oast.pro — a Project Discovery interactsh out-of-band server. The exfil destination is split-string concatenated at telemetry.js:15 (`"d87vcrdfokaufbs0"+"qf903rg6tp9to7jpe"+"."+"oa"+"st"+"."+"pro"`) specifically to evade naive static grep. The package's user-facing index.js is a stub that only logs a string; the real behavior is the install-time beacon. Combined with the random-looking scope, anomalously high version (99.0.1), and UNLICENSED metadata, this is the canonical fingerprint of a dependency-confusion / supply-chain recon probe — designed to trigger from corporate build systems whose internal package names collide with this scope and to phone home with enough host context to identify the victim organization.

## Source: ghsa-malware (892a8ab4e7f80eb0672e989c01b045b533ff527b194b925e663ecd55a2bf4d8e) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

## Source: ossf-package-analysis (bf448f47154495a6c9e04750e66ab6c67cbcc98809f05d7d4d97c297461d3862) The OpenSSF Package Analysis project identified '@43uh3ig43/telemetry-client' @ 99.0.1 (npm) as malicious.

It is considered malicious because:

- The package communicates with a domain associated with malicious activity.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / @43uh3ig43/telemetry-client
Introduced in: 0

No fixed version published yet for @43uh3ig43/telemetry-client (npm). Pin to a known-safe version or switch to an alternative.

References