Which versions of tempo-layout are malicious?

The following npm versions of tempo-layout are flagged malicious: 99.0.0, 99.0.1, 99.0.2. Treat any of these as compromised.

How do I remediate tempo-layout if I installed it?

tempo-layout is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.

I already installed tempo-layout — how do I know if it already compromised me?

If tempo-layout was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is tempo-layout part of a known attack campaign?

Yes — tempo-layout is associated with the IN-MAL-2026-004670, IN-MAL-2026-004658, IN-MAL-2026-004676, IN-MAL-2026-004657, IN-MAL-2026-004671, IN-MAL-2026-004677 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find tempo-layout across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for tempo-layout (3 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging tempo-layout across your stack and pipelines.

Malicious package

tempo-layoutnpm

Malicious code in tempo-layout (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-4686

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall tempo-layout

What this malware does

[email protected] ships a preinstall hook (poc.js) that unconditionally collects host identity (os.hostname, whoami, id), network configuration (ipconfig/ip a/resolv.conf), git remote, parent package.json, CI pipeline files (.gitlab-ci.yml,.github/workflows, Jenkinsfile, azure-pipelines.yml), and a filtered sweep of environment variables matching TOKEN/AWS/AZURE/NPM/GITHUB/GITLAB/JENKINS/WALMART/CI_/BUILD prefixes. The collected JSON is POSTed over HTTPS to a hardcoded interactsh subdomain (d8a5d9pon5bugoc35cngp9hcregcqyezu.oast.me) on npm install. The package additionally self-identifies as a dependency-confusion proof-of-concept targeting an internal namespace (@livingdesign/react) and is published to the public npm registry so any organization whose resolver falls through to public npm receives the payload. Regardless of any bug-bounty framing in the metadata, the published artifact harvests installer credentials and CI tokens and ships them off-host on install — this is an installer-side supply-chain attack.

Malicious versions

3 flagged

99.0.099.0.199.0.2

Indicators of compromise (SHA-256)

44d04dff489ed1e87d2258e629b6f6b7c6b4090c2f4540e1aa3dab87d2999690

c3f1e43c7ff8f95617d841a068f59847f92e6487ac024a31cc9e4a765799d7de

795bf7080d27cef141114dd46b5734c136f762933a43f2d1308e82547c5f99a6

ada1f3c19a6252264962a2efe3bc53fba1340c3bce76257ef9054ac5e1963a5d

b17d078c4f137d26fb548d86936b2da4ae3b3ab1328d14fed33975ab5a140d3f

b200465f630596d74ae24899022d0a24082514304b201987ca6e4cbecaf317bf

Detection & response playbook

Credential / info stealer

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for tempo-layout (3 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging tempo-layout across your stack and pipelines.
If you installed it — respond
tempo-layout is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.
Did it already run?
If tempo-layout was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks tempo-layout before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. tempo-layout on npm has been identified as a malicious package (versions 99.0.0, 99.0.1, 99.0.2 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-004670IN-MAL-2026-004658IN-MAL-2026-004676IN-MAL-2026-004657IN-MAL-2026-004671IN-MAL-2026-004677

References

Credits

Amazon Inspector · finder

Detect & block this

O3 blocks tempo-layout-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.

Malware detection Runtime egress monitoring