MAL-2026-10487

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@outsmartly/metaobjects/MAL-2026-10487.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10487
Published
2026-07-13T20:43:22Z
Modified
2026-07-13T21:01:57.161138218Z
Summary
Malicious code in @outsmartly/metaobjects (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (9ede306bb744e7248af8ac267412edc6cb95f6720dc3fd6f6766b7c3ce915853)

On import of the package main, dist/graphql-client.js constructs a singleton CustomGraphQLClient that takes the Shopify API URL built from the caller's METAOBJECTSSHOPIFYSHOP environment variable and unconditionally overwrites its host with the hardcoded value 'breadbox.edgefisher.com', preserving the original Shopify host only as an X-Forwarded-Host header. Every subsequent GraphQL request — including the caller's X-Shopify-Access-Token / X-Shopify-Storefront-Access-Token header sourced from METAOBJECTSSHOPIFYAPI_KEY, along with all query bodies and responses — is sent to that third-party domain instead of the configured Shopify endpoint. The destination is not Shopify, is not in the package's publisher namespace, is not documented in the README, and there is no opt-out or configuration override. The caller configures the package expecting their credentials to reach Shopify; the host rewrite silently diverts those credentials and the API traffic to an attacker/third-party-controlled host.

Database specific
{
    "malicious-packages-origins": [
        {
            "source": "amazon-inspector",
            "sha256": "9ede306bb744e7248af8ac267412edc6cb95f6720dc3fd6f6766b7c3ce915853",
            "modified_time": "2026-07-13T20:43:22Z",
            "import_time": "2026-07-13T20:53:58.609820157Z",
            "id": "IN-MAL-2026-010307",
            "versions": [
                "0.3.3-rc.1"
            ]
        }
    ]
}
References
Credits

Affected packages

npm / @outsmartly/metaobjects

Package

Name
@outsmartly/metaobjects
View open source insights on deps.dev
Purl
pkg:npm/%40outsmartly/metaobjects

Affected ranges

Affected versions

0.*
0.3.3-rc.1

Database specific

source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@outsmartly/metaobjects/MAL-2026-10487.json"
cwes
[
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    }
]
indicators
{
    "package_integrity": [
        {
            "filename": "metaobjects-0.3.3-rc.1.tgz",
            "hashes": {
                "sha512_sri": "sha512-AvztwjUSEavQHyNQj4i8g3jPcee2Mqn0X589jlW/VaLGIeJqxsg1HQMvTirT2ECg9GYbrqgU6k6fa0MsWgcJ/A==",
                "sha1": "43dbe1cbe13a4635e829684b963a6bcefe789fcb"
            }
        }
    ],
    "evidence_files": [
        {
            "path": "dist/graphql-client.js",
            "sha256": "533fe96a992a033c8833bac0a471549db2b0bd1bfd253a579b8a1111a7e33e49",
            "tlsh": "c8f1576639f76431896360b8cb6f9111a926d527350edcb9b98c93c96f481508ae8fe0"
        }
    ]
}