Which versions of tn-advertisement are malicious?

The following npm versions of tn-advertisement are flagged malicious: 5.0.0. Treat any of these as compromised.

How do I remediate tn-advertisement if I installed it?

Remove tn-advertisement from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is tn-advertisement part of a known attack campaign?

Yes — tn-advertisement is associated with the IN-MAL-2026-006710 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect tn-advertisement in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking tn-advertisement and packages like it before any post-install script runs.

Malicious package

tn-advertisementnpm

Malicious code in tn-advertisement (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5838

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall tn-advertisement

What this malware does

On require, index.js performs an unconditional http.get to a unique subdomain of oastify.com (Burp Suite Collaborator out-of-band testing infrastructure). The package has no advertised functionality — the entry file is named postinstall.js but wired as main, and its only behavior is the outbound beacon. Loading the module discloses the installer's public IP and DNS resolver to whoever provisioned the unique Collaborator subdomain, confirming code execution on the installer's machine. This shape is consistent with dependency-confusion reconnaissance payloads used to verify a successful supply-chain landing prior to follow-on exploitation.

Malicious versions

1 flagged

5.0.0

Indicators of compromise (SHA-256)

1b13ed4147b360eee88a36d9fe649dccbef37cf9019072841e697b88b6e4d3d2

Frequently asked questions

No. tn-advertisement on npm has been identified as a malicious package (version 5.0.0 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-006710

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection