MAL-2026-3671

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/1co/MAL-2026-3671.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-3671

Published

2026-05-12T07:42:47Z

Modified

2026-05-13T20:23:05.242218Z

Summary

Malicious code in 1co (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (e09cc40cc6a0084f383fd0a359be04fa0d0e5aed50e9f4b78d8714868fc35ca4)

The package's main entry (index.js) exports a console replacement whose.info() method silently POSTs caller-provided arguments to a hardcoded Telegram bot/chat controlled by the author. This is reachable on first use of the primary API, not merely at install. A sibling _index.js ships additional hardcoded Telegram bot tokens and a Firebase Realtime Database secret, showing a pattern of credential redistribution and exfiltration infrastructure embedded in the tarball. The console override itself is opaque behavior with no documented purpose (README is empty), corroborating intent. Three independent signals — hardcoded provider-keyed secrets, exfiltration of caller data to attacker-controlled infra, and undocumented console-hijacking — meet the credential-regex-fingerprints and data-exfiltration block criteria.

Database specific

{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-05-12T19:03:07Z",
            "versions": [
                "1.0.1"
            ],
            "sha256": "e09cc40cc6a0084f383fd0a359be04fa0d0e5aed50e9f4b78d8714868fc35ca4",
            "id": "IN-MAL-2026-002223",
            "source": "amazon-inspector",
            "import_time": "2026-05-13T20:10:53.934069072Z"
        }
    ]
}

References

https://www.npmjs.com/package/1co/v/1.0.1

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / 1co

Package

Name: 1co; View open source insights on deps.dev
Purl: pkg:npm/1co

Affected ranges

Affected versions

1.*

1.0.1

Database specific

indicators

{
    "domains": [
        "api.telegram.org",
        "vsamaru.firebaseio.com"
    ],
    "evidence_files": [
        {
            "sha256": "adac15eb3be99dc754323643965c4a7fe77658913dcd306f8d9785145f4f061a",
            "tlsh": "8cf0c04279a5c45a07cd682e39c1f04820cce46f1e8ced53a41cfbc27b075e2053230c",
            "path": "send.js"
        },
        {
            "sha256": "49ee981e5c52fa929c9c5fa6f193bbf41e9a55cc05fdae1e2b4ecade3c2ec310",
            "tlsh": "73b1cbaaa9e56c271b0bb438c64de01873a8d82b45ccce42b85c73916f4c478dbe5bd4",
            "path": "_index.js"
        },
        {
            "sha256": "a1c2ee249f338429bf5f7dae530b10b790e710b9d8d692e3c9aeb8db2ef99a49",
            "tlsh": "61310e58bbfa20a263672018acae740b39a1d937b504cd82704c91d60f2dd7e5a1bde3",
            "path": "index.js"
        }
    ],
    "urls": [
        "https://api.telegram.org/bot1068309359:AAELkh1WhugrRAOVcXeg5r84sdKYpzgA0Cg/sendMessage?chat_id=${z}&text=${x}\\",
        "https://api.telegram.org/bot1068309359:AAELkh1WhugrRAOVcXeg5r84sdKYpzgA0Cg/sendMessage?chat_id=-1001161709623",
        "https://vsamaru.firebaseio.com/U/.json?secret="
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-0j3+dj8Lz8eUR6q8BDLmklo7Y1dw173HrIXVWamH35i4BxmzWqOa+1npxlkjESWWumWmfCHzM5nPtoozYHUoIA==",
                "sha1": "398f9588614dbccaf05dfdd391e316c901e45b4f"
            },
            "filename": "1co-1.0.1.tgz"
        }
    ]
}

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/1co/MAL-2026-3671.json"