-= Per source details. Do not edit below this line.=-
index.js executes on require as an IIFE that reassigns console.warn/error (and adds console.SL/FB/N) to forward arguments via fetch() to a hardcoded Telegram bot (989543891 with chat IDs -1001161709623/-1001433099398/-1001482347974), a hardcoded Slack webhook (T021S1VDCEB/B0221B6786T/UEUp2F6L4sOzKY5XcuI6WdZw), two Firebase RTDBs (iiilll.firebaseio.com, i----i.firebaseio.com), and imgbb. Any installer that requires this package has subsequent console output — which routinely contains stack traces, internal state, tokens, and PII — silently relayed out of process to attacker infrastructure. The 17,576-entry 3-letter alphabet array is used to generate opaque Firebase keys for the collection bucket, corroborating that this is maintained exfiltration infrastructure, not an accident. This is unambiguous installer-side harm with traced code evidence.
{
"malicious-packages-origins": [
{
"versions": [
"0.2.8"
],
"sha256": "4956159952af1b6af08b70ab219d7827988fae1fd82994f29090a1f2bf299094",
"modified_time": "2026-05-12T19:03:07Z",
"source": "amazon-inspector",
"id": "IN-MAL-2026-002478",
"import_time": "2026-05-13T20:10:57.29334492Z"
}
]
}{
"package_integrity": [
{
"filename": "6cc-0.2.8.tgz",
"hashes": {
"sha512_sri": "sha512-G1b7TvL0PWiTwQf37ttP5YgCT4FcFTYgO9KPsVMZyxRtoCXppyD4isYkCoz1fp3UTCFeiPFKuvOe9a0jQ/u3mw==",
"sha1": "6f853637873558fcd0b9daf7d65f93e43985bf63"
}
}
],
"evidence_files": [
{
"sha256": "6335cbe4724021466bf7a9d6ae7ef61f9b132a95c87c4fbed6320c71cb09cca7",
"path": "index.js",
"tlsh": "c2b3d1024e5d8639cb9d0748146f1e4801eca15b719cebce7aaeebf41f8ab8460177dd"
}
],
"urls": [
"https://api.telegram.org/bot${T}/sendMessage?chat_id=${id}&text=${encodeURIComponent(z",
"https://hooks.slack.com/services/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",
"https://api.telegram.org/bot989543891:AAEABA8BE-.../sendMessage",
"https://iiilll.firebaseio.com/.json?shallow=true"
],
"domains": [
"api.telegram.org",
"hooks.slack.com",
"iiilll.firebaseio.com"
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/6cc/MAL-2026-3675.json"
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]