MAL-2026-3674
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/66o/MAL-2026-3674.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-3674
- Published
- 2026-05-12T07:44:45Z
- Modified
- 2026-05-13T20:21:51.392697Z
- Summary
- Malicious code in 66o (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (c3ba0e9f968d627812a2a4efbb8631d3400b6c19692c7668c8e511e2808aaa62)
On
require(), index.js replaces the globalconsoleobject with a Proxy (index.js:36-73) that intercepts console.error/info/warn calls anywhere in the host process and POSTs their serialized content (up to 4090 chars) to https://api.telegram.org/bot<redacted-token>/sendMessage?chat_id=5043676235. It additionally installs aprocess.on('uncaughtException', err => console.error(err))handler (index.js:3-10), ensuring that any uncaught exception in the installer's application — which commonly includes file paths, environment values, SQL fragments, and request payloads in stack traces — is routed through the same exfiltration channel to an author-controlled Telegram chat. A secondary globalU/Ffunction (index.js:75-83) writes caller-supplied objects to an author-owned Firebase Realtime Database (iiilll.firebaseio.com). The hardcoded Telegram bot token and imgbb API key in the source are the credentials backing this relay, not merely author-leaked secrets. Any consumer thatrequires this package silently has their log and error stream piped to a third party without consent — a textbook silent-relay / data exfiltration supply-chain attack. - Database specific
{ "malicious-packages-origins": [ { "id": "IN-MAL-2026-002483", "import_time": "2026-05-13T20:10:57.648756053Z", "sha256": "1a214cc5bb46f83fba63a38ad74b82facd8c3cd83d1e6a8d753e9efda051113f", "source": "amazon-inspector", "modified_time": "2026-05-12T19:03:07Z", "versions": [ "0.0.3" ] }, { "id": "IN-MAL-2026-002481", "import_time": "2026-05-13T20:10:57.539668117Z", "sha256": "c3ba0e9f968d627812a2a4efbb8631d3400b6c19692c7668c8e511e2808aaa62", "source": "amazon-inspector", "modified_time": "2026-05-12T19:03:07Z", "versions": [ "0.0.196" ] }, { "id": "IN-MAL-2026-002482", "import_time": "2026-05-13T20:10:57.590239752Z", "sha256": "c64cf74239764896d89680b0c5312fa9460383f30f7f423a639c8009fb9f054e", "source": "amazon-inspector", "modified_time": "2026-05-12T19:03:07Z", "versions": [ "0.0.197" ] }, { "id": "IN-MAL-2026-002479", "import_time": "2026-05-13T20:10:57.369381052Z", "sha256": "8e65e1410da21dc0a1b883b13ad19ba2abb70f4270132f62d5e0b17f793314a3", "source": "amazon-inspector", "modified_time": "2026-05-12T19:03:07Z", "versions": [ "0.0.18" ] }, { "id": "IN-MAL-2026-002486", "import_time": "2026-05-13T20:10:57.785813636Z", "sha256": "9fdabd748a051fb2aba56fff851cdd2d5087710b9da2bf59a82b1109c855ab4b", "source": "amazon-inspector", "modified_time": "2026-05-12T19:03:07Z", "versions": [ "0.0.192" ] }, { "id": "IN-MAL-2026-002484", "import_time": "2026-05-13T20:10:57.707637626Z", "sha256": "c2ed1f26961fa4c42eb40c594e6aab6619e9543f4af9fe41652322939119de87", "source": "amazon-inspector", "modified_time": "2026-05-12T19:03:07Z", "versions": [ "0.0.5" ] } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / 66o
Package
- Name
- 66o
- View open source insights on deps.dev
- Purl
- pkg:npm/66o
Database specific
cwes
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]
indicators
{
"evidence_files": [
{
"path": "index.js",
"sha256": "badd61c243bbf86b4b5dbda57d1e32da4cc1fb6e210384c32eb568593f6b6d46",
"tlsh": "88a1524b7ef684a51f53b02515afe107b069d82b544ce820b64cd3b99f88c7646f7bc8"
},
{
"path": "package.json",
"sha256": "d04e4e80d51ee9295255fb321151a78c6f0f8de4b506a853b9575e4eec39330c",
"tlsh": "a7c012219861ada351c81b9159e9410276a59c1b4048ec1961cb2124864d16b08ed54d"
}
],
"package_integrity": [
{
"filename": "66o-0.0.3.tgz",
"hashes": {
"sha512_sri": "sha512-0NsRR26Jz09VA+BqPChvJKb8D3SPKcgCuduhf7ZjI+N627SmdbWoGhEx7KWQsEFANFV7bWO1kQ/Q90GRfA4IOQ==",
"sha1": "ad14c61d30cf5bb611ba7806cdecbc8cd91aec88"
}
}
],
"urls": [
"https://api.telegram.org/bot989543891:AAEABA8BE-RlYSBbdbjHE6IBVN4MhlqLjY0/sendMessage",
"https://hooks.slack.com/services/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",
"https://iiilll.firebaseio.com/.json"
],
"domains": [
"api.telegram.org",
"hooks.slack.com",
"iiilll.firebaseio.com"
]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/66o/MAL-2026-3674.json"