MAL-2026-4419

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@pmate/utils/MAL-2026-4419.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4419

Withdrawn

2026-05-26T21:41:23Z

Published

2026-05-25T09:50:38Z

Modified

2026-05-27T00:32:02.630434244Z

Summary

Malicious code in @pmate/utils (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (d918da5fdc17486ed55296e53c1de2f1d976895f77e33dc7f73991e36f393502)

The exported detectText(imageBase64) function in src/detectText.ts sends caller-supplied image content to https://vision.googleapis.com/v1/images:annotate using a hardcoded Google Cloud API key (AIzaSyB60IT_Mte2tZisNiBujfS_q9MPOnw6tgk) belonging to the package author. Any consumer who calls the advertised text-detection utility unknowingly routes their image data through the author's Google Cloud project, where requests are quota-tracked and may be logged on the author's side. Callers cannot configure or disable this destination — it is hardcoded in the function body. The hardcoded key is also distributed in plaintext to every installer, allowing anyone to drain the author's Vision API quota.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "d918da5fdc17486ed55296e53c1de2f1d976895f77e33dc7f73991e36f393502",
            "import_time": "2026-05-26T05:52:57.289698917Z",
            "source": "amazon-inspector",
            "modified_time": "2026-05-25T09:50:38Z",
            "versions": [
                "1.1.4"
            ],
            "id": "IN-MAL-2026-004616"
        }
    ]
}

References

https://www.npmjs.com/package/@pmate/utils/v/1.1.4

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / @pmate/utils

Package

Name: @pmate/utils; View open source insights on deps.dev
Purl: pkg:npm/%40pmate%2Futils

Affected ranges

Affected versions

1.*

1.1.4

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@pmate/utils/MAL-2026-4419.json"

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

indicators

{
    "evidence_files": [
        {
            "tlsh": "5e2123466cf515a34bcf60f1128f9403f124904f3a6def50b78c02941f5a13d96babc9",
            "sha256": "89f70c21583de39273c7c294d714edeeea6ed443360ca87994998b4fd2c96496",
            "path": "src/detectText.ts"
        }
    ],
    "package_integrity": [
        {
            "filename": "utils-1.1.4.tgz",
            "hashes": {
                "sha1": "5df218edf53a2c8b54c0db8de0650e17aed46c4a",
                "sha512_sri": "sha512-r5dQoDPkUrZFfsBPYI19Mk4WLVsW3nojDNsKcKJndno049Nr4dpdOuAqf3dVOmeNpj9ow7E8th6cBrNrkgPtog=="
            }
        }
    ]
}