MAL-2026-4363

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@asura21232/fca-unofficial-nextgen/MAL-2026-4363.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4363

Withdrawn

2026-05-26T21:14:22Z

Published

2026-05-22T04:35:10Z

Modified

2026-05-27T00:31:59.531519289Z

Summary

Malicious code in @asura21232/fca-unofficial-nextgen (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (30540a72a722c901403164aeb090ca99999d3be2cc4d9e9f3ad99ef319fc2db2)

This package presents itself as an unofficial Facebook Messenger client library, but its exported authentication helpers (loginViaAPI, tokensViaAPI, tokens) send the caller-supplied Facebook email, password, and 2FA secret to https://api.fca-ng.top/api/v1/facebook/login_ios by default rather than authenticating directly with facebook.com. The default destination is hardcoded in src/engine/core/config.ts (apiServer: "https://api.fca-ng.top") and consumed in src/engine/core/authHelpers.ts line 62, which POSTs { email, password, twoFactor } to that endpoint. The README does not disclose this third-party relay; consumers using the library to log a bot account into Facebook will silently hand their credentials to the package author's server on every login. The relay is opt-out (a consumer must override apiServer) rather than opt-in, which inverts the trust model expected of a Messenger client library. Additionally, src/engine/core/updateCheck.ts exposes a self-updater that can invoke execFile('npm', ['i', '<pkg>@latest']) when config.install is enabled — gated and not auto-triggered, but a secondary quality concern.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "30540a72a722c901403164aeb090ca99999d3be2cc4d9e9f3ad99ef319fc2db2",
            "source": "amazon-inspector",
            "modified_time": "2026-05-22T04:35:10Z",
            "versions": [
                "2.0.1"
            ],
            "id": "IN-MAL-2026-004133",
            "import_time": "2026-05-26T05:52:00.073364165Z"
        }
    ]
}

References

https://www.npmjs.com/package/@asura21232/fca-unofficial-nextgen/v/2.0.1

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / @asura21232/fca-unofficial-nextgen

Package

Name: @asura21232/fca-unofficial-nextgen; View open source insights on deps.dev
Purl: pkg:npm/%40asura21232%2Ffca-unofficial-nextgen

Affected ranges

Affected versions

2.*

2.0.1

Database specific

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@asura21232/fca-unofficial-nextgen/MAL-2026-4363.json"

indicators

{
    "evidence_files": [
        {
            "sha256": "84a3b3943e424adee94988a2502cfe1af361cd7c0fd3a409fede43b8d13b63af",
            "tlsh": "0d02870d312a204a0a7263b4e7835214f75761d732d5c2babafca2642f3142ed972f9d",
            "path": "src/engine/core/authHelpers.ts"
        },
        {
            "sha256": "21abfa35130e7f5f8535b304a065fbe27bd8f6d1c4aa7fbc8f9fd8a4e09d8238",
            "tlsh": "32c132ca6527b5334a70a739da0a4418fb26ab7331058594fdee35103f37624e1abe9c",
            "path": "src/engine/core/updateCheck.ts"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-tDJW+koBdg0kXc3Ywtp2pB6YYE3brVphPsrlIOq08bBEAZcO8KhEYO51FFngiWwZvDRhAz2vc6IeeXG+IICpZg==",
                "sha1": "a862487df3f39a2ec18f7597bd690114e908ce09"
            },
            "filename": "fca-unofficial-nextgen-2.0.1.tgz"
        }
    ]
}