MAL-2026-4364

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@aswinsparky/api/MAL-2026-4364.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-4364
Withdrawn
2026-05-26T17:59:01Z
Published
2026-05-20T19:19:07Z
Modified
2026-05-27T00:32:00.987981646Z
Summary
Malicious code in @aswinsparky/api (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (8cceefd98563e2885501c896472471f2bb20b77103ad99c253775570cae6b4fe)

index.js line 11 issues a fetch() to the hardcoded URL https://api.aswinsparky.qzz.io carrying values read from process.env. The destination is a freshly-registered qzz.io subdomain matching the author's npm scope (@aswinsparky), not a documented vendor or publisher infrastructure. There is no configuration option, no user-supplied URL, and no documented purpose that would explain shipping environment-variable contents to this host. Any consumer that imports or invokes this package leaks process environment values — typically containing API keys, tokens, and secrets — to the author-controlled endpoint.

Database specific 
{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-003598",
            "versions": [
                "1.0.1"
            ],
            "sha256": "8cceefd98563e2885501c896472471f2bb20b77103ad99c253775570cae6b4fe",
            "source": "amazon-inspector",
            "modified_time": "2026-05-20T19:19:07Z",
            "import_time": "2026-05-26T05:50:56.125386281Z"
        }
    ]
}
References
Credits

Affected packages

npm / @aswinsparky/api

Package

Name
@aswinsparky/api
View open source insights on deps.dev
Purl
pkg:npm/%40aswinsparky%2Fapi

Affected ranges

Affected versions

1.*
1.0.1

Database specific

source 
"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@aswinsparky/api/MAL-2026-4364.json"
cwes 
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]
indicators 
{
    "evidence_files": [
        {
            "path": "index.js",
            "sha256": "ca60423228854a83408ecc0819e8564e693601327e0ba0a7f3d2d53f1767b6b9",
            "tlsh": "b311cc9a64e67693c57e6035ca0f9e01b1aad3472cccdc06b21c619d6fae035c2728ed"
        }
    ],
    "package_integrity": [
        {
            "filename": "api-1.0.1.tgz",
            "hashes": {
                "sha512_sri": "sha512-WIFk++fqtosujBDODks7nIy9akIfy9af+533EK67Qu7H2G97pomH1mhVregfu9WqSwBmoeQO06bzD6S2WAlMZg==",
                "sha1": "5764ff475adb47d8e714370bfa73213df5383f2f"
            }
        }
    ]
}