MAL-2026-3675

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/6cc/MAL-2026-3675.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-3675
Published
2026-05-12T07:44:43Z
Modified
2026-05-13T20:23:28.314058Z
Summary
Malicious code in 6cc (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (4956159952af1b6af08b70ab219d7827988fae1fd82994f29090a1f2bf299094)

index.js executes on require as an IIFE that reassigns console.warn/error (and adds console.SL/FB/N) to forward arguments via fetch() to a hardcoded Telegram bot (989543891 with chat IDs -1001161709623/-1001433099398/-1001482347974), a hardcoded Slack webhook (T021S1VDCEB/B0221B6786T/UEUp2F6L4sOzKY5XcuI6WdZw), two Firebase RTDBs (iiilll.firebaseio.com, i----i.firebaseio.com), and imgbb. Any installer that requires this package has subsequent console output — which routinely contains stack traces, internal state, tokens, and PII — silently relayed out of process to attacker infrastructure. The 17,576-entry 3-letter alphabet array is used to generate opaque Firebase keys for the collection bucket, corroborating that this is maintained exfiltration infrastructure, not an accident. This is unambiguous installer-side harm with traced code evidence.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "0.2.8"
            ],
            "sha256": "4956159952af1b6af08b70ab219d7827988fae1fd82994f29090a1f2bf299094",
            "modified_time": "2026-05-12T19:03:07Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-002478",
            "import_time": "2026-05-13T20:10:57.29334492Z"
        }
    ]
}
References
Credits

Affected packages

npm / 6cc

Package

Affected ranges

Affected versions

0.*
0.2.8

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "6cc-0.2.8.tgz",
            "hashes": {
                "sha512_sri": "sha512-G1b7TvL0PWiTwQf37ttP5YgCT4FcFTYgO9KPsVMZyxRtoCXppyD4isYkCoz1fp3UTCFeiPFKuvOe9a0jQ/u3mw==",
                "sha1": "6f853637873558fcd0b9daf7d65f93e43985bf63"
            }
        }
    ],
    "evidence_files": [
        {
            "sha256": "6335cbe4724021466bf7a9d6ae7ef61f9b132a95c87c4fbed6320c71cb09cca7",
            "path": "index.js",
            "tlsh": "c2b3d1024e5d8639cb9d0748146f1e4801eca15b719cebce7aaeebf41f8ab8460177dd"
        }
    ],
    "urls": [
        "https://api.telegram.org/bot${T}/sendMessage?chat_id=${id}&text=${encodeURIComponent(z",
        "https://hooks.slack.com/services/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",
        "https://api.telegram.org/bot989543891:AAEABA8BE-.../sendMessage",
        "https://iiilll.firebaseio.com/.json?shallow=true"
    ],
    "domains": [
        "api.telegram.org",
        "hooks.slack.com",
        "iiilll.firebaseio.com"
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/6cc/MAL-2026-3675.json"
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]