MAL-2026-3124

Malicious npm package published by threat actor "raya4321" as part of a coordinated typosquatting campaign impersonating Apple internal infrastructure services (authentication, PKI, telemetry, CloudKit, and cloud infrastructure). All packages in this campaign execute credential-theft payloads during npm installation via preinstall or postinstall lifecycle hooks.

Trigger: postinstall. Exfiltrates full system fingerprint including hostname, username, home directory file listing, AWS credentials, GCP active config, and all environment variables, base64-encoded, to https://franki.requestcatcher.com/apple_full_leak via curl.

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (95aeeda1c4b09aef606511b9d3f46c776a597189420959935831310789d5fcb5)

The package apple-internal-dev-check was found to contain malicious code.

Source: ossf-package-analysis (b9be007ef6ea0b1d3d9ba50b8958b00bc0089155dfc001fdf4988da85469dcd5)

The OpenSSF Package Analysis project identified 'apple-internal-dev-check' @ 2.0.0 (npm) as malicious.

It is considered malicious because:

• The package executes one or more commands associated with malicious behavior.