MAL-2026-3677

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/8oo/MAL-2026-3677.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-3677

Published

2026-05-12T07:42:29Z

Modified

2026-05-13T20:20:33.273782Z

Summary

Malicious code in 8oo (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (8c949ba1ac1cd3a6c96d3f1fc8c32cdc64cb9474fa07dd6633ebf4f69073a495)

The package's main entry (index.js) executes an IIFE at require time that loads 66o.js, which replaces the global console with a Proxy. Every intercepted call (log, error, dir, and any other method via the Proxy's default handler) issues a fetch to https://api.telegram.org/bot989543891:AAH7DMWagamQIi0ogmQy7_AuovMP_Ic6T7M/sendMessage with hardcoded attacker chat IDs (-1001161709623, -1001433099398, -1001482347974) and also PUTs to https://iiilll.firebaseio.com/<ts>.json. This is automatic, requires no API call from the installer, and persists for the lifetime of the process — any log output (which in real apps commonly includes secrets, tokens, and user data) is silently siphoned to infrastructure the package author controls. Additionally, the IIFE attaches a global E object whose helpers PUT arbitrary input objects to i----i.firebaseio.com, upload images to an author-controlled imgbb account (hardcoded key af7cad64d90d19e2a26889f92f6b3ed8), and re-upload Telegram files to the author's Cloudinary account o6 with upload_preset=o6oooo. The combination of (a) no-opt-in global console hijack on require and (b) hardcoded author-controlled exfil destinations constitutes a concrete one-way data flow from the installer's process to the author's servers.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-002189",
            "import_time": "2026-05-13T20:10:53.227057236Z",
            "sha256": "1337fb2b1b1768be9179538ab05164fea6e0ca253c0c2db0a5f4821ee9d8f770",
            "source": "amazon-inspector",
            "modified_time": "2026-05-12T19:03:07Z",
            "versions": [
                "0.0.19"
            ]
        },
        {
            "id": "IN-MAL-2026-002182",
            "import_time": "2026-05-13T20:10:52.70237896Z",
            "sha256": "8c949ba1ac1cd3a6c96d3f1fc8c32cdc64cb9474fa07dd6633ebf4f69073a495",
            "source": "amazon-inspector",
            "modified_time": "2026-05-12T19:03:07Z",
            "versions": [
                "0.0.12"
            ]
        },
        {
            "id": "IN-MAL-2026-002202",
            "import_time": "2026-05-13T20:10:53.686601771Z",
            "sha256": "f678446615ac9dec4906e9fc26dd5a754de267f3b4d2d0a36d6adcb3a2643e5f",
            "source": "amazon-inspector",
            "modified_time": "2026-05-12T19:03:07Z",
            "versions": [
                "0.0.6"
            ]
        },
        {
            "id": "IN-MAL-2026-002190",
            "import_time": "2026-05-13T20:10:53.310393145Z",
            "sha256": "e1d260207d14624119172888a5d5a436a014b6519cdbbd39d89d7e3b6bdcc97d",
            "source": "amazon-inspector",
            "modified_time": "2026-05-12T19:03:07Z",
            "versions": [
                "0.0.21"
            ]
        },
        {
            "id": "IN-MAL-2026-002194",
            "import_time": "2026-05-13T20:10:53.529341066Z",
            "sha256": "47e04de6eb82a547ae2c3994fac69ee68cc05b2095d82899eed90f2e1c160793",
            "source": "amazon-inspector",
            "modified_time": "2026-05-12T19:03:07Z",
            "versions": [
                "0.0.18"
            ]
        },
        {
            "id": "IN-MAL-2026-002185",
            "import_time": "2026-05-13T20:10:52.983890439Z",
            "sha256": "7f394ebd546c8be98e73553529c16d4d9ccfdd9d9a66752a81a636dc3fb80afb",
            "source": "amazon-inspector",
            "modified_time": "2026-05-12T19:03:07Z",
            "versions": [
                "0.0.15"
            ]
        },
        {
            "id": "IN-MAL-2026-002184",
            "import_time": "2026-05-13T20:10:52.89191044Z",
            "sha256": "a901f20625f9e6a1f97e7e200faee2ffc53d089737db264d0879575e8bb0ebe0",
            "source": "amazon-inspector",
            "modified_time": "2026-05-12T19:03:07Z",
            "versions": [
                "0.0.14"
            ]
        },
        {
            "id": "IN-MAL-2026-002195",
            "import_time": "2026-05-13T20:10:53.607848838Z",
            "sha256": "c0f90df58fe63a3969412f0139c1acf41ef72c6ededc1b5b6cf9ca2e4a876567",
            "source": "amazon-inspector",
            "modified_time": "2026-05-12T19:03:07Z",
            "versions": [
                "0.0.8"
            ]
        },
        {
            "id": "IN-MAL-2026-002187",
            "import_time": "2026-05-13T20:10:53.1273154Z",
            "sha256": "91c146d7ec3a58d38d59f7ef6e8ba597f9bd538b6e9d0d230ec22cf4e2017a44",
            "source": "amazon-inspector",
            "modified_time": "2026-05-12T19:03:07Z",
            "versions": [
                "0.0.17"
            ]
        },
        {
            "id": "IN-MAL-2026-002191",
            "import_time": "2026-05-13T20:10:53.362340849Z",
            "sha256": "155d59ef46ac063a24982db00fc16a63f6aa50c383a6bd61517d802f43c2bd7d",
            "source": "amazon-inspector",
            "modified_time": "2026-05-12T19:03:07Z",
            "versions": [
                "0.0.22"
            ]
        },
        {
            "id": "IN-MAL-2026-002192",
            "import_time": "2026-05-13T20:10:53.425568502Z",
            "sha256": "2b0baa728591af3e9d18054119c1b37f1f2b501de15baa0a337fa5caa1c5a0ff",
            "source": "amazon-inspector",
            "modified_time": "2026-05-12T19:03:07Z",
            "versions": [
                "0.0.4"
            ]
        },
        {
            "id": "IN-MAL-2026-002186",
            "import_time": "2026-05-13T20:10:53.066669635Z",
            "sha256": "4d46ff64d053b986925c07d85c185d381f87bafae7196b7e55f95b763a860436",
            "source": "amazon-inspector",
            "modified_time": "2026-05-12T19:03:07Z",
            "versions": [
                "0.0.16"
            ]
        },
        {
            "id": "IN-MAL-2026-002183",
            "import_time": "2026-05-13T20:10:52.766342677Z",
            "sha256": "58422b18a843b58a777562e309c7f430fca5f29ba652280ac8fb11eed6870949",
            "source": "amazon-inspector",
            "modified_time": "2026-05-12T19:03:07Z",
            "versions": [
                "0.0.13"
            ]
        },
        {
            "id": "IN-MAL-2026-002196",
            "import_time": "2026-05-13T20:10:53.652643365Z",
            "sha256": "22a84869d6d50dd5fa5f5cd07c5706b08ac4e811cb10127468eb97fa5f10bef7",
            "source": "amazon-inspector",
            "modified_time": "2026-05-12T19:03:07Z",
            "versions": [
                "0.0.9"
            ]
        },
        {
            "id": "IN-MAL-2026-002193",
            "import_time": "2026-05-13T20:10:53.492167453Z",
            "sha256": "306bdbb47720a2bbe8b4cba1600666826da2e73327d32ab1594fb608f46cc0fe",
            "source": "amazon-inspector",
            "modified_time": "2026-05-12T19:03:07Z",
            "versions": [
                "0.0.5"
            ]
        },
        {
            "id": "IN-MAL-2026-002181",
            "import_time": "2026-05-13T20:10:52.660965155Z",
            "sha256": "45d605bb7ccd2f732508459c27f598ca30dce5663169835f7fef16ef54650f7b",
            "source": "amazon-inspector",
            "modified_time": "2026-05-12T19:03:07Z",
            "versions": [
                "0.0.11"
            ]
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / 8oo

Package

Name: 8oo; View open source insights on deps.dev
Purl: pkg:npm/8oo

Affected ranges

Affected versions

0.*

0.0.4

0.0.5

0.0.6

0.0.8

0.0.9

0.0.11

0.0.12

0.0.13

0.0.14

0.0.15

0.0.16

0.0.17

0.0.18

0.0.19

0.0.21

0.0.22

Database specific

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

indicators

{
    "evidence_files": [
        {
            "path": "66o.js",
            "sha256": "c332e893ae22bba36d0d251c7c22bb90530860b773c05056086a668da76cc3e4",
            "tlsh": "0921e15307cc8464a79b643b0dd6f41e32358b2f5598bc74b8edd2b1ef441fa49d0a84"
        },
        {
            "path": "index.js",
            "sha256": "70d70365b69f641f1d2ecce76156463b631431563efea10b80d649dcf75ef867",
            "tlsh": "c90275136babc86a6f87a07dedaa7607b136d11f4c5cc5523a5c13a5cf0463189e2fe0"
        }
    ],
    "package_integrity": [
        {
            "filename": "8oo-0.0.19.tgz",
            "hashes": {
                "sha512_sri": "sha512-obt2cwPHHxCQCXZCpW7uL6A9p3u9RjF+S5W5E11ngfsMZ9ISDQu7UAgaIhocJp0PzyMO0Xmkd4Dq6KLliOKm0A==",
                "sha1": "62b87be516b388a695c8c825ca84eefcaf598e65"
            }
        }
    ],
    "urls": [
        "https://api.telegram.org/bot${T}/sendMessage?chat_id=${chat}&text=${encodeURIComponent(l",
        "https://api.telegram.org/bot989543891:AAH7DMWagamQIi0ogmQy7_AuovMP_Ic6T7M/sendMessage",
        "https://i----i.firebaseio.com/${x}.json\\",
        "https://i----i.firebaseio.com/*.json",
        "https://iiilll.firebaseio.com/"
    ],
    "domains": [
        "api.telegram.org",
        "iiilll.firebaseio.com",
        "i----i.firebaseio.com"
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/8oo/MAL-2026-3677.json"