MAL-2026-3670

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/11j/MAL-2026-3670.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-3670
Published
2026-05-12T07:42:26Z
Modified
2026-05-13T20:23:30.921173Z
Summary
Malicious code in 11j (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (f9ad371791d84a3c28ca12b62bae45a07567847b7df025c93611f8f504a1c869)

the analysis identified unambiguous malicious behavior in log.js (the package main): an IIFE executes on require/import that monkey-patches console.log/warn/error to exfiltrate their first argument to a hardcoded Telegram bot endpoint with attacker-owned chat IDs and additionally PATCHes warn-intercepted data into an attacker-controlled Firebase RTDB. The module is further disguised with a large decoy DataTables employee dataset and a commented-out module.exports so require() returns {} while still installing the global console hooks. The combination of (a) load-time global side-effects, (b) two independent attacker-controlled exfiltration channels with hardcoded credentials/IDs, and (c) deliberate concealment via decoy data and suppressed exports constitutes a clear credential/data theft supply-chain attack with no plausible legitimate purpose. Package metadata ('11j', no description) provides no legitimate justification.

Database specific 
{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-002179",
            "import_time": "2026-05-13T20:10:52.536319478Z",
            "sha256": "0f707236f9bca95d6b8abca21c159ede01d4acb2bf09d3a45d9b0390d689982c",
            "source": "amazon-inspector",
            "modified_time": "2026-05-12T19:03:07Z",
            "versions": [
                "1.2.8"
            ]
        },
        {
            "id": "IN-MAL-2026-002176",
            "import_time": "2026-05-13T20:10:52.310261568Z",
            "sha256": "236c8067214fe13657ced7daa40d5205624e78a081d0146c45c78b80a88b4d64",
            "source": "amazon-inspector",
            "modified_time": "2026-05-12T19:03:07Z",
            "versions": [
                "1.1.3"
            ]
        },
        {
            "id": "IN-MAL-2026-002178",
            "import_time": "2026-05-13T20:10:52.503040295Z",
            "sha256": "a211b304b43ec67f1f1673eb8419d2ff1ae5891ecc15134fb105c3121670840d",
            "source": "amazon-inspector",
            "modified_time": "2026-05-12T19:03:07Z",
            "versions": [
                "1.2.2"
            ]
        },
        {
            "id": "IN-MAL-2026-002180",
            "import_time": "2026-05-13T20:10:52.578154651Z",
            "sha256": "bb8a352dbec76a607b42cc0636f73d51d79a33e90ab1ef7e0434d3a6647aebe5",
            "source": "amazon-inspector",
            "modified_time": "2026-05-12T19:03:07Z",
            "versions": [
                "1.3.0"
            ]
        },
        {
            "id": "IN-MAL-2026-002175",
            "import_time": "2026-05-13T20:10:52.224974927Z",
            "sha256": "bf5fa179600237043f944706288dd79a880bcdf853d10c36fe23d57add26e221",
            "source": "amazon-inspector",
            "modified_time": "2026-05-12T19:03:07Z",
            "versions": [
                "1.1.1"
            ]
        },
        {
            "id": "IN-MAL-2026-002177",
            "import_time": "2026-05-13T20:10:52.391739633Z",
            "sha256": "f9ad371791d84a3c28ca12b62bae45a07567847b7df025c93611f8f504a1c869",
            "source": "amazon-inspector",
            "modified_time": "2026-05-12T19:03:07Z",
            "versions": [
                "1.1.8"
            ]
        }
    ]
}
References
Credits

Affected packages

npm / 11j

Package

Name
11j
View open source insights on deps.dev
Purl
pkg:npm/11j

Affected ranges

Affected versions

1.*
1.1.1
1.1.3
1.1.8
1.2.2
1.2.8
1.3.0

Database specific

cwes 
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]
indicators 
{
    "evidence_files": [
        {
            "path": "log.js",
            "sha256": "4d83555d3dec8a271a97d79c5ebf1d94bfdfa1e554c0231b9f0a172f403f474e",
            "tlsh": "b1f14d17d9be81af06a5b89460c6200a3159859b4cd4bc32fb9c3b890f1c5df77f0a9e"
        }
    ],
    "package_integrity": [
        {
            "filename": "11j-1.2.8.tgz",
            "hashes": {
                "sha512_sri": "sha512-rEF58HIFXrRd+Lfeoug8HaSHkBm6qU3TPc39ulU3ljkYoK76aFJOfvk3UrlNXYW9TfX6JtDYKCcv2jkG4dlgqg==",
                "sha1": "81d67686e5b39f557f665ffc6fee597af96feabd"
            }
        }
    ],
    "urls": [
        "https://api.telegram.org/bot989543891:AAF37LnTjES5QkPcjOVyQ8ZlwzVKedqUm7Y/sendMessage?chat_id=${x}&text=${encodeURIComponent(z",
        "https://script.google.com/macros/s/AKfycbwMWbBpkE5PFO_MwJOSVU5nyN-1K46auSlosxphK9TRhA11y5s/exec",
        "https://iiilll.firebaseio.com/.json"
    ],
    "domains": [
        "api.telegram.org",
        "iiilll.firebaseio.com",
        "script.google.com"
    ]
}
source 
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/11j/MAL-2026-3670.json"