Which versions of ttspc-server-sample are malicious?

The following npm versions of ttspc-server-sample are flagged malicious: 99.9.0. Treat any of these as compromised.

How do I remediate ttspc-server-sample if I installed it?

Remove ttspc-server-sample from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is ttspc-server-sample part of a known attack campaign?

Yes — ttspc-server-sample is associated with the IN-MAL-2026-005842, IN-MAL-2026-005841 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect ttspc-server-sample in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking ttspc-server-sample and packages like it before any post-install script runs.

Malicious package

ttspc-server-samplenpm

Malicious code in ttspc-server-sample (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5707

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall ttspc-server-sample

What this malware does

[email protected] declares postinstall: node index.js in package.json, so on npm install it automatically executes index.js. The script collects the installer's hostname, username, current working directory, network interface IPs/MACs, OS info, the presence of env vars including credential-shaped names (APP_KEY/APP_SECRET/etc.), and the full process list (ps aux on Unix, tasklist /V on Windows), then HTTP POSTs the JSON payload to a hardcoded Burp Collaborator endpoint at http://dduqpvg687wohv3ymaiaa3j2etks8swh.oastify.com (with a secondary reference to http://your-id.burpcollaborator.net). The package self-labels via X-PoC-Type: dependency-confusion / X-PoC-Package: ttspc-server-sample headers and uses an inflated 99.9.0 version designed to win semver resolution against a victim org's private internal package of the same name. Even framed as a PoC, the install-time exfiltration of host identifiers, internal IP addresses, credential-variable names, and running process inventory to an attacker-controlled OAST host is a real supply-chain attack against any installer that resolves this public package instead of the intended private one.

The OpenSSF Package Analysis project identified 'ttspc-server-sample' @ 99.9.0 (npm) as malicious.

It is considered malicious because:

The package communicates with a domain associated with malicious activity.

Malicious versions

1 flagged

99.9.0

Indicators of compromise (SHA-256)

42431437432238c5e538914744de6f640582830a717f2625f3dac00be71c3b62

91d0c4ae89a4f630e59ca4960fdff3832c8fa9d4b7dbbdf148abe39b260c7ec8

98ea79d9fce12a87d3949dc748617f8077a1ae0822fadab451c27d2c8a2feb9b

Frequently asked questions

No. ttspc-server-sample on npm has been identified as a malicious package (version 99.9.0 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-005842IN-MAL-2026-005841

References

npmjs.com

Credits

Amazon Inspector · finder
OpenSSF: Package Analysis · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection