MAL-2026-4417
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@pisell/pisellos/MAL-2026-4417.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-4417
- Withdrawn
- 2026-05-26T21:41:23Z
- Published
- 2026-05-22T09:09:02Z
- Modified
- 2026-05-27T00:32:02.596923525Z
- Summary
- Malicious code in @pisell/pisellos (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (e11b6f8e400f4de371e79ce547444daf3787d6217037ea2e8d05c8ba86cbfbb2)
The package advertises itself as a point-of-sale / venue-booking SDK, but its
ScanOrderImplandVenueBookingImplsolution classes register a default logger whose destinations are four hardcoded Feishu bot webhooks (open.feishu.cn/open-apis/bot/v2/hook/216b3fe6..., 015b7c2a..., 8f069b14..., bdefae5e...). Every public solution method (submitScanOrder,addProductToOrder,setDiscountSelected,onCustomerLogin,checkResourceAvailable,scanCode, etc.) wraps invocation withlogMethodStart/logMethodSuccess/logMethodError, which POSTs method arguments, order payloads, customer identifiers, and error stacks to those webhooks viafetch(webhook, {method:'POST',...})(dist/solution/ScanOrder/index.js:545-546). The destinations are not documented in the README and are not configurable through any advertised option — a consumer would have to discover and override an undocumentedscanOrderLoggerConfigto disable the relay. Compounding this, the package's publisher metadata is placeholder (author: "Your Name",repository: github.com/username/pisell-os,homepage: github.com/username/pisell-os#readme), so the Feishu chat rooms cannot be tied to any verified publisher. The result is that any application built on this SDK silently leaks PII-bearing transactional data to chat rooms controlled by the package author. - Database specific
{ "malicious-packages-origins": [ { "import_time": "2026-05-26T05:53:23.755475366Z", "source": "amazon-inspector", "modified_time": "2026-05-26T01:23:33Z", "id": "IN-MAL-2026-004844", "sha256": "6782ef0212bc8c351420e16904cf62e0518b50773e1c2835139c41ceb62e42cb", "versions": [ "0.0.546" ] }, { "import_time": "2026-05-26T05:52:53.643390553Z", "source": "amazon-inspector", "modified_time": "2026-05-25T06:12:24Z", "id": "IN-MAL-2026-004587", "sha256": "fe84a700afcf915be77ae508f7ed2ef6dddcc3d8da1b11a60bd0ff9ec2a6398a", "versions": [ "2.2.168" ] }, { "import_time": "2026-05-26T05:53:23.627238791Z", "source": "amazon-inspector", "modified_time": "2026-05-26T01:23:24Z", "sha256": "b8dcb4abc1533a1b1065d8505ebd41edf43316ebd43a17f0db1dbdf06b9bd291", "id": "IN-MAL-2026-004843", "versions": [ "2.2.169" ] }, { "import_time": "2026-05-26T05:52:05.100117902Z", "source": "amazon-inspector", "modified_time": "2026-05-22T09:09:02Z", "sha256": "bfa7186f3176a406d19892bebcb80557f97df3c177f8c10d2357faed926f630f", "id": "IN-MAL-2026-004176", "versions": [ "2.2.164" ] }, { "import_time": "2026-05-26T06:26:13.714032434Z", "source": "amazon-inspector", "modified_time": "2026-05-26T06:12:17Z", "id": "IN-MAL-2026-004847", "sha256": "92e6d35e4cff1457b43bc8b864e196a659fe12cf9028311e27bf2ceb9fcefe2f", "versions": [ "2.2.172" ] }, { "import_time": "2026-05-26T13:32:46.041807751Z", "versions": [ "2.2.173" ], "modified_time": "2026-05-26T10:28:24Z", "sha256": "e11b6f8e400f4de371e79ce547444daf3787d6217037ea2e8d05c8ba86cbfbb2", "id": "IN-MAL-2026-004897", "source": "amazon-inspector" } ] }- References
-
- https://www.npmjs.com/package/@pisell/pisellos/v/0.0.546
- https://www.npmjs.com/package/@pisell/pisellos/v/2.2.168
- https://www.npmjs.com/package/@pisell/pisellos/v/2.2.169
- https://www.npmjs.com/package/@pisell/pisellos/v/2.2.164
- https://www.npmjs.com/package/@pisell/pisellos/v/2.2.172
- https://www.npmjs.com/package/@pisell/pisellos/v/2.2.173
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / @pisell/pisellos
Package
- Name
- @pisell/pisellos
- View open source insights on deps.dev
- Purl
- pkg:npm/%40pisell%2Fpisellos
Database specific
indicators
{
"package_integrity": [
{
"filename": "pisellos-0.0.546.tgz",
"hashes": {
"sha512_sri": "sha512-irWHyeAP2xzCLo0K1iSX5AZ9ycbdA6V+IwXTQ27WwXKAABbGc8zBPGc+3TZ2X5Wuy6mYU4Ua8WzGMiDBsRuO6w==",
"sha1": "265d3014e2e1471dd1c5fa43901d7784f8162510"
}
}
],
"evidence_files": [
{
"path": "dist/solution/ScanOrder/index.js",
"sha256": "869e57a22e86bc0ccbd89c8fc9095039e64ef869716b0d2a5762ebab66d99ba7",
"tlsh": "4bf3859af9fb54528623b03dcf1e8960bb2498075049cc68bd8cd554afd891853f2ffa"
},
{
"path": "package.json",
"sha256": "f03e08dcd1885c973c497a3d81edd621974f549dabdaecac952888a1e60db07a",
"tlsh": "26419c26ce598c6307c4169adc646242613b85978c84fc08b3e543bd8f4d27f30fe96e"
}
]
}
cwes
[
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
}
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@pisell/pisellos/MAL-2026-4417.json"