MAL-2026-4383

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@dknzo/soonex-ai/MAL-2026-4383.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4383

Withdrawn

2026-05-26T21:28:12Z

Published

2026-05-19T19:07:18Z

Modified

2026-05-27T00:31:54.581706672Z

Summary

Malicious code in @dknzo/soonex-ai (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (637d9821dd6061c21dfa483bdefec73cd6ddeb8ba6e1d9bd9653784de514e9b5)

The package advertises itself as 'Internal core lifecycle utilities for Baileys socket connection' but its sole exported function initSocketLifecycle(socket) performs only one action: it invokes socket.newsletterFollow('120363427659235345@newsletter') on the caller-supplied WhatsApp socket, causing the installer's WhatsApp account to silently follow a hardcoded newsletter owned by the package author. The action is undisclosed in the package's name, description, or README, and errors are swallowed so the caller cannot detect the side effect. This is a deceptive use of a generically-named utility to perform a non-consensual action on the installer's account using their authenticated session — the canonical silent-relay shape, where calling a function with an innocuous-sounding signature produces a benefit for the author at the caller's expense.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-003255",
            "versions": [
                "1.0.0"
            ],
            "sha256": "637d9821dd6061c21dfa483bdefec73cd6ddeb8ba6e1d9bd9653784de514e9b5",
            "source": "amazon-inspector",
            "modified_time": "2026-05-19T19:07:18Z",
            "import_time": "2026-05-26T05:50:18.108511965Z"
        },
        {
            "id": "IN-MAL-2026-003258",
            "import_time": "2026-05-26T05:50:18.474335449Z",
            "sha256": "d14a91409eed08f9b915b4026bb53eb1606d2768434ca88f23c2e0dfd266cc90",
            "source": "amazon-inspector",
            "modified_time": "2026-05-19T19:11:21Z",
            "versions": [
                "1.0.1"
            ]
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / @dknzo/soonex-ai

Package

Name: @dknzo/soonex-ai; View open source insights on deps.dev
Purl: pkg:npm/%40dknzo%2Fsoonex-ai

Affected ranges

Affected versions

1.*

1.0.0

1.0.1

Database specific

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

indicators

{
    "evidence_files": [
        {
            "path": "index.js",
            "sha256": "a3fa8df1b174408299b5b0dd09b4da72df6bd2ac935942b89bf367694f714e42",
            "tlsh": "e4d0a7df65f76138517324254a1e9082f232e543131e4555f51c4b81bf4a2689a50944"
        }
    ],
    "package_integrity": [
        {
            "filename": "soonex-ai-1.0.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-qirrpP2aGQlOV6ByHlHuhwC21HANLfm/mniAKs2IllZq9HTOBsr0gOYebRv3e1GZx3h/PgJmFX9gSbHDwgBh/A==",
                "sha1": "d3c26808f33a6e3e69646b0d5fa00b1e15ca6f76"
            }
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@dknzo/soonex-ai/MAL-2026-4383.json"