MAL-2026-4380
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@dekuzxc/nexca/MAL-2026-4380.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-4380
- Withdrawn
- 2026-05-26T21:28:12Z
- Published
- 2026-05-21T14:34:24Z
- Modified
- 2026-05-27T00:31:54.575516850Z
- Summary
- Malicious code in @dekuzxc/nexca (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (35a4db02ce3d3ea022c8a6b5349975b4721d3f2c5b516b6c3dd3dddbfa802271)
When a consumer uses the advertised api.listen()/listenE2EE() flow, every incoming message attachment of type "photo" is auto-uploaded to imgbb.com using a hardcoded API key. In src/listenMqtt.js (lines 64-69), attachImageUrlToAttachment() is invoked unconditionally inside parseDelta and calls api.imgUpload(attachment.url) for any photo attachment. src/uploadImageToImgbb.js hardcodes IMGBBKEY = "3e198e6ffe205d1c7968a92fd92177c9" and POSTs the photo URL to https://api.imgbb.com/1/upload, causing ImgBB to fetch the image bytes and store them in the author's ImgBB gallery. The behavior is not documented in the README, is not gated by any option, and the destination is the author's account — not the consumer's. Bot operators using this library to handle DMs/groups will have every photo their bot receives silently relayed to an author-controlled image host. This matches the silent-relay class: caller-supplied data flows through the package's normal API to a hardcoded third-party destination the caller never chose. The hardcoded ImgBB key is the mechanism enabling the relay.
- Database specific
{ "malicious-packages-origins": [ { "id": "IN-MAL-2026-004459", "versions": [ "1.4.7" ], "sha256": "35a4db02ce3d3ea022c8a6b5349975b4721d3f2c5b516b6c3dd3dddbfa802271", "source": "amazon-inspector", "modified_time": "2026-05-24T03:52:15Z", "import_time": "2026-05-26T05:52:38.4508009Z" }, { "id": "IN-MAL-2026-003871", "import_time": "2026-05-26T05:51:29.285663267Z", "sha256": "368373b13e54a5d4ab6094f16b9dfb5a53689d0bb247eafc873c90900e80dc9b", "source": "amazon-inspector", "modified_time": "2026-05-21T14:49:40Z", "versions": [ "1.2.0" ] }, { "id": "IN-MAL-2026-003869", "versions": [ "1.1.0" ], "sha256": "be8ff2a192c6008c348822bf28de5f51394b459996c6a61d55fa10ab5325cbca", "source": "amazon-inspector", "modified_time": "2026-05-21T14:34:24Z", "import_time": "2026-05-26T05:51:29.048650848Z" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / @dekuzxc/nexca
Package
- Name
- @dekuzxc/nexca
- View open source insights on deps.dev
- Purl
- pkg:npm/%40dekuzxc%2Fnexca
Database specific
cwes
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
}
]
indicators
{
"evidence_files": [
{
"path": "src/listenMqtt.js",
"sha256": "e5f107e6d7653d9c41db38d2251912466bd759dd0d94ecd2489059db2f269651",
"tlsh": "31d2730d69f7155a1177702ebb9fa004227ac0031e4dfd62f98cd6a5af484bca6f67c8"
},
{
"path": "src/uploadImageToImgbb.js",
"sha256": "eac5f974b0284878750b3e85b93a4834f4722947c5d375fda229f1e5ecf196c2",
"tlsh": "6721c08938e730164cb37076379f8649b9bda5232498cba2b55c8351bf44c64a3737cc"
}
],
"package_integrity": [
{
"filename": "nexca-1.4.7.tgz",
"hashes": {
"sha512_sri": "sha512-C8euOG0IWwKeDe+3M2iqf2mwBBL7a/FrL3xbfkJwpnm/k/nZS1Ki47Jbxc0Sp1hl3Ytfh9fNt6A+BnKoDhbAZA==",
"sha1": "81efe766566b78e043e1a9b02f06a6afd1339fa9"
}
}
]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@dekuzxc/nexca/MAL-2026-4380.json"