Which versions of tempo-shared-modules are malicious?

The following npm versions of tempo-shared-modules are flagged malicious: 99.0.0, 99.0.1, 99.0.2. Treat any of these as compromised.

How do I remediate tempo-shared-modules if I installed it?

tempo-shared-modules is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.

I already installed tempo-shared-modules — how do I know if it already compromised me?

If tempo-shared-modules was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is tempo-shared-modules part of a known attack campaign?

Yes — tempo-shared-modules is associated with the IN-MAL-2026-004662, IN-MAL-2026-004669, IN-MAL-2026-004679, IN-MAL-2026-004668, IN-MAL-2026-004678, IN-MAL-2026-004661 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find tempo-shared-modules across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for tempo-shared-modules (3 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging tempo-shared-modules across your stack and pipelines.

Malicious package

tempo-shared-modulesnpm

Malicious code in tempo-shared-modules (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-4688

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall tempo-shared-modules

What this malware does

On npm install, the preinstall script poc.js collects host identity (hostname, username, OS/platform), network configuration (ipconfig / ip a / resolv.conf), git remote, the parent project's package.json, CI configuration files (.gitlab-ci.yml,.github/workflows, Jenkinsfile, azure-pipelines.yml), and bulk-scrapes process.env for any variable name matching TOKEN, AWS, AZURE, NPM, GITHUB, GITLAB, CI_, JENKINS, BUILD, or WALMART together with their values. The collected payload is POSTed over HTTPS to the hardcoded interactsh OAST endpoint d8a5d9pon5bugoc35cngp9hcregcqyezu.oast.me. The package is published at version 99.0.2 on the public npm registry under a name designed to be resolved by mistake instead of an internal @livingdesign/react private package — the canonical dependency-confusion shape. The package's own description self-labels it as a Walmart HackerOne PoC, but it is publicly installable and any non-Walmart installer that resolves it is harmed: their CI tokens, cloud credentials, and pipeline configuration are sent to a third-party OAST callback host. Any one of (preinstall env-credential scrape, hardcoded OAST exfil endpoint, dependency-confusion publication shape) is independently sufficient to block.

Malicious versions

3 flagged

99.0.099.0.199.0.2

Indicators of compromise (SHA-256)

20b9b8ffa86b1c20c57373cb838ffa8cf2ce24e3252a3743447f558f6735ce80

48eb6cac999b06cb5702ab9a8c3331203c4ff1dfaf7b731b787674591c3fdab5

70f130e6b964b09838d87156654512b8d6a5aa42b7628b895a5b838abfcdccbb

91413a893d29a69728f489d3f1fe7258b54917dcbbb844dea20b6c96300df198

bc05637e4f67c7a00ac3b790680f46174243df9c2740a161a029d4b266a79839

3f014249f0e3b0768728d347f0d61c96c8e400fc3851c8dcf75c8528cae7e285

Detection & response playbook

Credential / info stealer

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for tempo-shared-modules (3 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging tempo-shared-modules across your stack and pipelines.
If you installed it — respond
tempo-shared-modules is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.
Did it already run?
If tempo-shared-modules was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks tempo-shared-modules before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. tempo-shared-modules on npm has been identified as a malicious package (versions 99.0.0, 99.0.1, 99.0.2 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-004662IN-MAL-2026-004669IN-MAL-2026-004679IN-MAL-2026-004668IN-MAL-2026-004678IN-MAL-2026-004661

References

Credits

Amazon Inspector · finder

Detect & block this

O3 blocks tempo-shared-modules-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.

Malware detection Runtime egress monitoring