MAL-2026-3678

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/8q/MAL-2026-3678.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-3678

Published

2026-05-12T07:43:52Z

Modified

2026-05-13T20:20:58.009334Z

Summary

Malicious code in 8q (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (1a10addd46910ba157e59c0c301c15ea56de73adb23c4d3422520b67876cdc0e)

The package's declared main entry (router.js) is an IIFE that runs the moment an installer's code executes require('8q') or import '8q'. On load it overrides the global console.warn, console.error, console.exit, console.info, and adds a console.N. Each override POSTs its arguments to https://api.telegram.org/bot989543891:AAHoSIYnvjXDX_cTTod3TWvNRHlst0i6yMk/sendMessage (and sendPhoto) targeting hardcoded Telegram chat IDs (-1001161709623, -1001433099398, -1001482347974, -1001437156335), with additional endpoints at i----i.firebaseio.com, iiilll.firebaseio.com, and api.imgbb.com. Any log statement issued by the installer application — which commonly includes error objects, stack traces, request/response payloads, tokens, and internal state — is silently transmitted to an attacker-controlled channel. In addition, replacing console.* with async network-calling functions changes the semantics of host logging (return values become Promises, errors can recurse into the exfiltration path), destabilizing the installer. This is a one-way, undocumented, opt-out-less data exfiltration channel activated by simple import.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-002364",
            "import_time": "2026-05-13T20:10:56.407173888Z",
            "sha256": "1a10addd46910ba157e59c0c301c15ea56de73adb23c4d3422520b67876cdc0e",
            "source": "amazon-inspector",
            "modified_time": "2026-05-12T19:03:07Z",
            "versions": [
                "1.8.2"
            ]
        }
    ]
}

References

https://www.npmjs.com/package/8q/v/1.8.2

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / 8q

Package

Name: 8q; View open source insights on deps.dev
Purl: pkg:npm/8q

Affected ranges

Affected versions

1.*

1.8.2

Database specific

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

indicators

{
    "evidence_files": [
        {
            "path": "router.js",
            "sha256": "21c138c7f4825b7e5864ba602f6b103f3737eeafd16859a6604e6dccf24d79c8",
            "tlsh": "5df151c62dfb94a31f9b2812826fe0877566c73b565eec10750cefa14f20d618877ac6"
        }
    ],
    "package_integrity": [
        {
            "filename": "8q-1.8.2.tgz",
            "hashes": {
                "sha512_sri": "sha512-txNAgfYtmjKkjqntLea9UbLjqSW6E/zuPlcerGNzaywKL4U6jQEldoOtN5DetoD6c98pGsyN7bnpbzYpaZyRiQ==",
                "sha1": "5d27b72e7a0375fe9e5e9c08f5a90d37bdf29200"
            }
        }
    ],
    "urls": [
        "https://api.telegram.org/bot${T}/sendMessage?chat_id=${id}&text=${encodeURIComponent(z",
        "https://api.telegram.org/bot989543891:AAHoSIYnvjXDX_cTTod3TWvNRHlst0i6yMk/sendMessage",
        "https://api.imgbb.com/1/upload?key=33612f7751537f4f27c5253f56edbf16",
        "https://i----i.firebaseio.com/.json",
        "https://iiilll.firebaseio.com/.json"
    ],
    "domains": [
        "api.telegram.org",
        "api.imgbb.com",
        "i----i.firebaseio.com",
        "iiilll.firebaseio.com"
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/8q/MAL-2026-3678.json"