ttspc-server-sample@99.9.0 declares postinstall: node index.js in package.json, so on npm install it automatically executes index.js. The script collects the installer's hostname, username, current working directory, network interface IPs/MACs, OS info, the presence of env vars including credential-shaped names (APP_KEY/APP_SECRET/etc.), and the full process list (ps aux on Unix, tasklist /V on Windows), then HTTP POSTs the JSON payload to a hardcoded Burp Collaborator endpoint at http://dduqpvg687wohv3ymaiaa3j2etks8swh.oastify.com (with a secondary reference to http://your-id.burpcollaborator.net). The package self-labels via X-PoC-Type: dependency-confusion / X-PoC-Package: ttspc-server-sample headers and uses an inflated 99.9.0 version designed to win semver resolution against a victim org's private internal package of the same name. Even framed as a PoC, the install-time exfiltration of host identifiers, internal IP addresses, credential-variable names, and running process inventory to an attacker-controlled OAST host is a real supply-chain attack against any installer that resolves this public package instead of the intended private one.

The OpenSSF Package Analysis project identified 'ttspc-server-sample' @ 99.9.0 (npm) as malicious.

It is considered malicious because:

• The package communicates with a domain associated with malicious activity.