MAL-2026-3672

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/1mi/MAL-2026-3672.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-3672

Published

2026-05-12T07:43:06Z

Modified

2026-05-13T20:21:52.003365Z

Summary

Malicious code in 1mi (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (a68ec5fa97918431510ba9ef57d3d601738891094478b5ebf996a3eafa0cb960)

This package masquerades as a Cloudflare Worker Telegraf middleware (README: 'cfworker-middware-telegraf') but its main module unconditionally forwards every inbound Telegram update to a hardcoded attacker-controlled Telegram bot/chat, persists all updates to an author-owned Firestore project 'i----i', and re-uploads victim-submitted photos to imgbb under a hardcoded author key. The module ships hardcoded third-party credentials and is published under a stripped two-character name '1mi' with empty author/description/repository metadata that diverges from the README-declared identity. Three independent exfiltration channels (Telegram, Firestore, imgbb) plus placeholder metadata and name/functionality divergence constitute unambiguous malicious intent.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "a68ec5fa97918431510ba9ef57d3d601738891094478b5ebf996a3eafa0cb960",
            "source": "amazon-inspector",
            "modified_time": "2026-05-12T19:03:07Z",
            "id": "IN-MAL-2026-002269",
            "import_time": "2026-05-13T20:10:54.138342739Z",
            "versions": [
                "1.0.3"
            ]
        }
    ]
}

References

https://www.npmjs.com/package/1mi/v/1.0.3

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / 1mi

Package

Name: 1mi; View open source insights on deps.dev
Purl: pkg:npm/1mi

Affected ranges

Affected versions

1.*

1.0.3

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/1mi/MAL-2026-3672.json"

indicators

{
    "domains": [
        "api.telegram.org",
        "api.imgbb.com"
    ],
    "urls": [
        "https://api.telegram.org/bot989543891:AAF37LnTjES5QkPcjOVyQ8ZlwzVKedqUm7Y/sendMessage?chat_id=-1001161709623&text=${encodeURIComponent(JSON.stringify(h,null,4",
        "https://api.imgbb.com/1/upload?key=33612f7751537f4f27c5253f56edbf16&",
        "https://api.imgbb.com/1/upload?key=...&image="
    ],
    "package_integrity": [
        {
            "filename": "1mi-1.0.3.tgz",
            "hashes": {
                "sha1": "582c0ef4829ef6dc5fd880a407f2418d53833b54",
                "sha512_sri": "sha512-bE6qO7vCQZNCIoN7k7lsdRwan7Zy29XTtMUEpbIdYyd4IwkF6M5cKJ2kE1FhPm1FgbzRRv26BL7OqOEc0kGR+A=="
            }
        }
    ],
    "evidence_files": [
        {
            "path": "index.js",
            "tlsh": "e24177d256bb54657e4791e05c7d20067450c1270ec4e8113e0ca175cf155a95efbff9",
            "sha256": "aea718621db7d6d7d038d08e6420af719f0c7f0e63a5beadbfc0083017f9ca0a"
        },
        {
            "path": "package.json",
            "tlsh": "1fc09b74c3721d1350d83791d5526753f7538c1b49187d1c73931048c6de6a704fd21e",
            "sha256": "b28034742cbf5a1226c13f5c9791e516f41e531f4034bae4aa43b1033b16c299"
        }
    ]
}

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]