Supply chain · npm · High

Critical npm package 'autotel-backends' v2.12.26 compromises host systems

Threat Engine Auto-Feed · data current as of 2026-06-29

A malicious version of the 'autotel-backends' npm package (v2.12.26) has been identified, leading to full system compromise upon installation. This poses a critical supply-chain risk, necessitating immediate action for any affected systems.

  • Package: npm / autotel-backends
  • Affected versions: = 2.12.26
  • Severity: critical
  • Reach: ~578/wk
  • Exposure: 70/100 (High)

What happened — Credential / secret theft

The 'autotel-backends' npm package, specifically version 2.12.26, contains malware. Installation of this version results in the complete compromise of the host system.

How the attack works

This is a malicious package attack where an adversary injects harmful code into a seemingly legitimate software component. When developers or automated systems integrate the compromised package into their projects, the malicious code executes, granting the attacker unauthorized access and control over the system where the package is installed or run.

Who's exposed

Profiles most at risk

  • Development teams using the npm ecosystem
  • Organizations with CI/CD pipelines that automatically pull package dependencies
  • Any system or developer workstation that installed 'autotel-backends' version 2.12.26

Conditions that increase exposure

  • Unpinned dependencies in package.json allowing automatic updates to vulnerable versions
  • Lack of package-lock.json or yarn.lock files to ensure consistent dependency resolution
  • Use of internal package mirrors that may not have filtered out the malicious version

Blast-radius scenarios

  • An attacker gains full control over the compromised computer, potentially leading to data exfiltration, further network penetration, or deployment of additional malware.
  • All secrets and keys stored on the compromised system are exposed and can be stolen by the attacker.
  • The blast radius extends to any environment (development, testing, production) where the malicious package was installed, making all associated data and infrastructure vulnerable.

What to do (defensive)

Detect

  • Scan dependency trees for 'autotel-backends' version 2.12.26.
  • Review package-lock.json or yarn.lock files for the presence of the malicious version.
  • Monitor network traffic for unusual outbound connections from systems that installed the package.

Contain

  • Immediately isolate any system identified as having installed 'autotel-backends' version 2.12.26 from the network.
  • Block all outbound network traffic from affected systems except for essential security tools.
  • Prevent further installations of 'autotel-backends' version 2.12.26 across all environments.

Remediate

  • Consider any system that installed 'autotel-backends' version 2.12.26 to be fully compromised and rebuild it from a trusted image.
  • Rotate all secrets, API keys, and credentials that were stored on or accessible from the compromised computer, performing this action from a separate, trusted system.
  • Remove the 'autotel-backends' package, but acknowledge that this may not fully remove all malicious software due to potential full system compromise.

Frontier verdict — High

This is a critical severity supply-chain compromise requiring immediate isolation and credential rotation for any system that installed 'autotel-backends' v2.12.26.

Sources

For detection-engineering and awareness only · point-in-time · not security advice · sourced from the GitHub Advisory Database.