VDB
KO

MAL-2026-5211

Malicious code in autotel (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (921a045507925f9accff44927ec74588991f03dd291a3ae95cdc9919523ed800) Pattern matches fired on co-occurrence of the strings 'ping', 'POST', and 'hostname' in the package's bundled and source files (dist/chunk-*.cjs, dist/chunk-*.js, dist/init-*.d.ts, src/init.ts). These are generic keywords that commonly appear together in observability/telemetry tooling without indicating exfiltration: 'ping' is frequently used for health-check endpoints, 'POST' for normal HTTP client code, and 'hostname' for environment/identity reporting in telemetry payloads. No hardcoded attacker-controlled C2 endpoint, credential-path read (~/.aws, ~/.ssh, ~/.npmrc, browser profiles), env-var scraping loop, install-time lifecycle hook, or import-time side effect has been corroborated. Routing to human review so a maintainer can confirm whether the POST destinations are user-configurable / vendor-documented telemetry endpoints versus a hardcoded exfil sink.

## Source: google-open-source-security (a6c7977dbc054cdb7fe56da0d2fbd26e2a6fed695deb4263ccbf4adfedd86acb) The Miasma malware is a self-propagating worm that spreads across the npm registry by abusing weaponized `binding.gyp` files to achieve execution during package installation, bypassing security tools that only inspect package lifecycle scripts. Upon execution, the malware attempts to exfiltrate credentials and OIDC tokens for various cloud and registry services, and propagates by compromising other packages managed by the stolen accounts or committing backdoor files to GitHub repositories.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / autotel

No fixed version published yet for autotel (npm). Pin to a known-safe version or switch to an alternative.

References