-= Per source details. Do not edit below this line.=-
The package's sole file i.js (declared as main) is a heavily obfuscated IIFE whose top-level exploit() runs unconditionally when the module is loaded. In a browser context on noviembrenacional.com it reads document.documentElement.outerHTML, base64-encodes it, and POSTs it (body 'type=pagehtml&data=...') to a hardcoded canarytokens.com endpoint (canarytokens.com/images/terms/e63c36xvesfv8udb0yiy1xztu/contact.php), along with status beacons (start, username, nouserspan, nononce, exploitsuccess, error). When the visitor is a logged-in WordPress user on that site whose username is neither 'JuanCuesta' nor 'noviembrenacional', it fetches /my-account/editar-cuenta/, extracts the save-account-details nonce and referer, and submits a same-origin CSRF POST that overwrites the victim's account email to nyxalor25@proton.me, then triggers a password reset — an account takeover. For the 'noviembrenacional' admin user it instead POSTs to /members/<user>/settings/delete-account/. In Node (no window), the top-level call throws and the catch handler issues fetch(CANARY_URL + '?type=error&msg=...'), leaking a beacon (including the installer's public IP and an error string) to the attacker's canarytokens URL at require/import time. URLs, DOM property names, form field names, endpoints, and the attacker email are hidden via \uXXXX escapes, reversed-string decoding (e.g. '/srebmem/'.split('').reverse().join('') → '/members/'), and dead-code XOR expressions, existing solely to conceal the exfiltration destination and WordPress attack targets.
{
"malicious-packages-origins": [
{
"id": "IN-MAL-2026-010754",
"sha256": "0419014b846dad93131788936a2a40257cb27b7c19ab4f74b43d84445b608afa",
"import_time": "2026-07-16T18:54:02.912549687Z",
"modified_time": "2026-07-16T18:42:34Z",
"source": "amazon-inspector",
"versions": [
"1.0.3"
]
},
{
"import_time": "2026-07-16T18:54:02.957475438Z",
"sha256": "0aa8c7ef8c36ef3d4eb1f3c423ca518894ee4abd9c621232cf8d451a9e5d81f9",
"modified_time": "2026-07-16T18:42:42Z",
"versions": [
"1.0.2"
],
"source": "amazon-inspector",
"id": "IN-MAL-2026-010755"
},
{
"modified_time": "2026-07-16T18:37:02Z",
"sha256": "26a77171f4b68ff814a7a99b5e51e3d59b9d4ca41fefbd650d2a0f8412878360",
"versions": [
"1.0.4"
],
"import_time": "2026-07-16T18:54:00.864358936Z",
"source": "amazon-inspector",
"id": "IN-MAL-2026-010717"
},
{
"modified_time": "2026-07-16T18:36:55Z",
"sha256": "4f93df3b1a546f25702b9d6d35590f05a6f86171cd9852085c2708b5f765242f",
"versions": [
"1.0.5"
],
"import_time": "2026-07-16T18:54:00.832547735Z",
"source": "amazon-inspector",
"id": "IN-MAL-2026-010716"
},
{
"versions": [
"1.0.7"
],
"sha256": "d9f7b472ce0efe03e1eb07b8756f06682c3289fb2b33f544edcd12f71d7e3e56",
"import_time": "2026-07-16T18:54:00.732302137Z",
"modified_time": "2026-07-16T18:36:36Z",
"id": "IN-MAL-2026-010714",
"source": "amazon-inspector"
},
{
"modified_time": "2026-07-16T18:43:23Z",
"sha256": "f8c8cc7d71b667ac9ab8421c504e75d408ec3354aa77d47d1287cb8c190a85e1",
"versions": [
"1.0.1"
],
"import_time": "2026-07-16T18:54:03.149350522Z",
"source": "amazon-inspector",
"id": "IN-MAL-2026-010760"
}
]
}[
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
}
]
{
"package_integrity": [
{
"filename": "xxdxa-1.0.3.tgz",
"hashes": {
"sha1": "ea9ba28fbc8f45f190bea59cdc61d69c5294e8f4",
"sha512_sri": "sha512-mRPeE88aCaPu+/KZRm18Qd/oWk4QHtg0yiBAD4xeemvrFt2HRyxMtxs/zIeKollbn8fs8paQ0HsHTgYIHBIcrA=="
}
}
],
"evidence_files": [
{
"tlsh": "4c32d2a243779efec8755a049c35be1aecf888b50fd7d02a65073884cd7ebe04791269",
"sha256": "6550221df675fe7a77bcfb4d34ca4bcbc8b13d73a76385b8d3b082765e3bbe46",
"path": "i.js"
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/xxdxa/MAL-2026-10752.json"