MAL-2026-10635

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/gmail-changer/MAL-2026-10635.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10635
Published
2026-07-15T04:20:08Z
Modified
2026-07-15T05:19:57.219468636Z
Summary
Malicious code in gmail-changer (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (913e56ded5b9c46e15c7589a0883bfb708b2488aa54f4c25ca05b1c13e4d75fe)

Package exports a complete Gmail account-hijack pipeline driven by stolen session cookies. Exported helpers (waitForRemoveRecovery, waitForRecoveryAdd, waitForPasswordChange, waitForDeviceLogout, waitForTwoFaActive, waitForNameChange) automate, in sequence: removing the victim's recovery phone number, injecting an attacker-controlled recovery email at the hardcoded domain @oletters.com, resetting the password to a random string, signing every other device out, harvesting 2FA seed + backup codes, and changing the display name. OTP interception is wired to a hardcoded SMS-rental endpoint at sever1.tempxapi.com/api/sms, where the package polls for incoming Google verification codes (G-\d{6}) using an X-Integrity-Token to drive recovery-number swaps and login challenges. index.js getMailYear additionally POSTs to Gmail's undocumented sync RPC at mail.google.com/sync/u/0/i/bv with stolen cookies to enumerate the victim's ^all mailbox (up to 2000 messages per page) for post-takeover reconnaissance. Puppeteer is launched with puppeteer-extra-plugin-stealth, --ignore-certificate-errors, and request interception that silently swallows Gmail's SetOSID redirect (replaced with a 200 OK stub) to harvest the session without completing the page transition. Every advertised API mutates a Google account against its owner's interests; there is no legitimate use case. Installing or loading this package equips the installer with — and contributes to a public ecosystem of — operational account-takeover tooling, with a hardcoded attacker drop-domain (@oletters.com) and third-party OTP relay baked in.

Database specific
{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-010618",
            "source": "amazon-inspector",
            "import_time": "2026-07-15T04:32:07.650221871Z",
            "sha256": "913e56ded5b9c46e15c7589a0883bfb708b2488aa54f4c25ca05b1c13e4d75fe",
            "versions": [
                "2.0.2"
            ],
            "modified_time": "2026-07-15T04:20:08Z"
        }
    ]
}
References
Credits

Affected packages

npm / gmail-changer

Package

Affected ranges

Affected versions

2.*
2.0.2

Database specific

source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/gmail-changer/MAL-2026-10635.json"
cwes
[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
indicators
{
    "package_integrity": [
        {
            "filename": "gmail-changer-2.0.2.tgz",
            "hashes": {
                "sha512_sri": "sha512-2Yvy2HRzXCl6CWUsj4rktlLCS0i9EpTRmynidYoz4e7JqsqDurtWPQSDbNvcIhqrfsKd9Lhbgi7BmkZ6jxO5Hw==",
                "sha1": "1f12b7d75ffb71c56b36baecd1c74eba1f2837a7"
            }
        }
    ],
    "evidence_files": [
        {
            "path": "index.js",
            "sha256": "116059bc2accefde9ebbb60d870461fe1e4132f331dcd0f91a6a0658bd5be3b7",
            "tlsh": "7c835296243b042785b3b7bba867b409ff16e22f4610658d7fac85503f7c81754a2fac"
        }
    ]
}