MAL-2026-4367

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@bcrumbs.net/bc-chat/MAL-2026-4367.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4367

Withdrawn

2026-05-26T20:50:05Z

Published

2026-05-20T14:06:47Z

Modified

2026-05-27T00:31:58.024369219Z

Summary

Malicious code in @bcrumbs.net/bc-chat (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (d4bd9ccff2d027c9982ab41ff4b4417e62475e70aba04212794f267030f63ab0)

The exported BCChat React component embeds a hardcoded Azure Blob SAS URL (https://bcuserres.blob.core.windows.net/anonymous) with a long-lived SAS token (valid through 2027-12-31) and uses it to upload every file an end-user attaches in the chat (images, recorded audio, documents). The destination is not configurable through props or runtime configuration, so any application embedding this widget will silently route its users' attachments to the package author's storage account. The same SAS token grants read access (sp=rc) on the 'anonymous' container, meaning anyone who extracts the token from the bundle can also list and read uploads from every other application using this library — a cross-installer data-exposure risk on top of the relay. There are no install-time lifecycle scripts; the harm fires at runtime when an end-user attaches a file in the rendered chat component.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-003562",
            "import_time": "2026-05-26T05:50:51.887464595Z",
            "sha256": "823b19f0436bae75c434f15427d68a6e3efec19b19990aabcb002e4462adc4d8",
            "modified_time": "2026-05-20T14:06:48Z",
            "source": "amazon-inspector",
            "versions": [
                "1.0.87"
            ]
        },
        {
            "sha256": "d4bd9ccff2d027c9982ab41ff4b4417e62475e70aba04212794f267030f63ab0",
            "versions": [
                "1.0.87"
            ],
            "source": "amazon-inspector",
            "modified_time": "2026-05-20T14:06:47Z",
            "import_time": "2026-05-26T05:50:51.786324677Z",
            "id": "IN-MAL-2026-003561"
        }
    ]
}

References

https://www.npmjs.com/package/@bcrumbs.net/bc-chat/v/1.0.87

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / @bcrumbs.net/bc-chat

Package

Name: @bcrumbs.net/bc-chat; View open source insights on deps.dev
Purl: pkg:npm/%40bcrumbs.net%2Fbc-chat

Affected ranges

Affected versions

1.*

1.0.87

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@bcrumbs.net/bc-chat/MAL-2026-4367.json"

indicators

{
    "package_integrity": [
        {
            "filename": "bc-chat-1.0.87.tgz",
            "hashes": {
                "sha512_sri": "sha512-tEyP9Z1+RhaYoE2vQPiqWrxCAR90bQAWtnvjM4/1bwsJNoywk1cT0y3zsMAwZvjC4n6HzlfehTRoEvH+Kue4gg==",
                "sha1": "ce265a77280d68bb9dfb24f7f6f07f5c2cc58fca"
            }
        }
    ],
    "evidence_files": [
        {
            "sha256": "53a91e4aa2fe266cf183cba18b29f79c12f09ccef8e109095960cc1fb7862402",
            "tlsh": "2bb36dffa24166c9a823cfd1b9b33204b336289ee601d5a4e2fd64589fd51c56097fc8",
            "path": "build/index.js"
        },
        {
            "sha256": "512c841fed3593498a72892feeaffdd0815acd7ee7319efe6a55acdd3c689609",
            "tlsh": "66615621ce19cee34de202ada4ba4593906995874c97f89c33a5c70d0f0e7af71b5e2d",
            "path": "package.json"
        }
    ],
    "domains": [
        "34.1.16.104.in-addr.arpa"
    ]
}

cwes

[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]