Supply chain · npm · High

Critical npm package 'autotel-cli' v0.8.14 compromises host systems

Threat Engine Auto-Feed · data current as of 2026-06-29

A critical vulnerability has been identified in the npm package 'autotel-cli' version 0.8.14, which functions as malware. Installation of this package leads to full system compromise, necessitating immediate action to protect sensitive data and infrastructure.

  • Package: npm / autotel-cli
  • Affected versions: = 0.8.14
  • Severity: critical
  • Reach: ~238/wk
  • Exposure: 70/100 (High)

What happened — Credential / secret theft

The npm package 'autotel-cli' version 0.8.14 contains malware. Any system where this specific version of the package is installed or executed should be considered fully compromised.

How the attack works

This is a malicious package injection attack. An attacker publishes a seemingly legitimate package containing hidden malicious code. When a developer or automated system installs or runs this package, the malicious code executes, leading to unauthorized access or control over the host system. The specific mechanism here results in full system compromise.

Who's exposed

Profiles most at risk

  • Development teams using npm
  • Organizations with CI/CD pipelines that pull npm packages
  • Any user or system that has installed 'autotel-cli' version 0.8.14

Conditions that increase exposure

  • Direct or transitive dependency on 'autotel-cli' version 0.8.14
  • Lack of dependency pinning or lockfile usage in projects
  • Automated builds or deployments that fetch the latest package versions without vetting

Blast-radius scenarios

  • An attacker gains full control over the compromised computer, potentially leading to data exfiltration, further network penetration, or resource abuse.
  • All secrets and keys stored on the compromised system are at risk of theft, requiring immediate rotation.
  • The integrity of development environments and build artifacts may be compromised if the package was used in a CI/CD context.

What to do (defensive)

Detect

  • Scan project dependency trees for 'autotel-cli' version 0.8.14.
  • Review package lock files (e.g., package-lock.json, yarn.lock) for the presence of the affected version.
  • Monitor network traffic for unusual outbound connections from systems that might have installed the package.

Contain

  • Immediately isolate any system identified with 'autotel-cli' version 0.8.14 installed.
  • Block network access for compromised systems to prevent further exfiltration or lateral movement.
  • Suspend any CI/CD pipelines or build processes that may have pulled the malicious package.

Remediate

  • Consider any system that installed 'autotel-cli' version 0.8.14 as fully compromised and rebuild from a trusted image.
  • Rotate all secrets, API keys, and credentials that were stored on or accessible from the compromised computer, performing this action from a separate, secure system.
  • Remove the 'autotel-cli' package; however, be aware that full system control may have been granted, so removal alone might not eliminate all malicious components.

Frontier verdict — High

This is a critical supply-chain compromise requiring immediate isolation, credential rotation, and system rebuilds due to full host compromise.

Sources

For detection-engineering and awareness only · point-in-time · not security advice · sourced from the GitHub Advisory Database.