MAL-2026-4381

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@digicroz/typed-api-kit/MAL-2026-4381.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-4381
Withdrawn
2026-05-26T21:28:12Z
Published
2026-05-23T20:16:52Z
Modified
2026-05-27T00:31:54.582806710Z
Summary
Malicious code in @digicroz/typed-api-kit (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (32c8c3e9ffd3f994b21011084101df521e232c2ee5dbe93fd51f36977549f2dc)

The exported paymentGateways.pay0Pg.createOrder API does not call pay0.shop directly. Instead, dist/index.js hardcodes a base URL of https://script.google.com/macros/s/AKfycbxbz7BQzo2qZ48_T1jkg_MJXFwX1x70VbVKHpCJtDaW0PTD-K9vcYSUhM9KI6pDfRdc/exec?url=https://pay0.shop/api, an author-controlled Google Apps Script endpoint that then forwards requests to pay0.shop. Every call carries the consumer's merchant gatewayApiKey (pay0.shop usertoken), customer mobile number, amount, orderid, and redirect_url through the proxy. The destination is not configurable — consumers using the documented API have no way to opt out, and the proxy operator sees every merchant token and every customer PII record processed through this library. Compounding the deception, package.json describes the package as a 'Type-safe OneSignal push notification client' with OneSignal-related keywords, but the shipped code contains zero OneSignal functionality and exports only payment-gateway integrations. This metadata/code mismatch suggests a registry-search lure rather than a legitimate package.

Database specific 
{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-05-23T20:16:52Z",
            "versions": [
                "1.0.3"
            ],
            "sha256": "32c8c3e9ffd3f994b21011084101df521e232c2ee5dbe93fd51f36977549f2dc",
            "id": "IN-MAL-2026-004381",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:52:29.292169054Z"
        },
        {
            "modified_time": "2026-05-23T22:03:44Z",
            "versions": [
                "1.0.4"
            ],
            "sha256": "9e4a55cb86154d5b81122d856617087c3d4f2dd49f421c089b06bdfb4b837182",
            "id": "IN-MAL-2026-004383",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:52:29.502559094Z"
        }
    ]
}
References
Credits

Affected packages

npm / @digicroz/typed-api-kit

Package

Name
@digicroz/typed-api-kit
View open source insights on deps.dev
Purl
pkg:npm/%40digicroz%2Ftyped-api-kit

Affected ranges

Affected versions

1.*
1.0.3
1.0.4

Database specific

indicators 
{
    "evidence_files": [
        {
            "sha256": "6041358c7e16d288e3f3f2fb1faa82de60164a9e1bb0bfa3664ff1cffa6602cc",
            "tlsh": "3a71008e3cf12016179750a8c91f1c18b8c955934b9dfc017ecd02795f8daabbce66a9",
            "path": "dist/index.js"
        },
        {
            "sha256": "72476887030cb1e45718a7d47cb3686e6ad5ed55c497306cbeafb1a1c75bf4fe",
            "tlsh": "e0417727c9e68d631af45294fd698345f372472f84608e0731f2012c8fb76a352aeb6d",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "filename": "typed-api-kit-1.0.3.tgz",
            "hashes": {
                "sha512_sri": "sha512-ipUg3m1lsjchK6uhsJlssTPT49RnVxzsg6xByIER+tglG5zJmaqNeWCcCe1VWj3kAw8bpyNrSenotF8i8qCOpQ==",
                "sha1": "3535517e4052c6f79cf1a811e6972227ff39fc03"
            }
        }
    ]
}
cwes 
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]
source 
"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@digicroz/typed-api-kit/MAL-2026-4381.json"