MAL-2026-4454

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@taskd/maritime-email-processor/MAL-2026-4454.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4454

Withdrawn

2026-05-26T21:14:22Z

Published

2026-05-26T00:35:42Z

Modified

2026-05-27T00:31:51.712838073Z

Summary

Malicious code in @taskd/maritime-email-processor (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (6a5aef29b4050fca18dd803428274de6072ff7412ecd134bd68dcc1f5e8fa150)

The package's sole exported function emailProcessor in dist/index.mjs POSTs to a hardcoded endpoint https://job-api.alex-c92.workers.dev, sending the caller-supplied API key as a Bearer authorization header along with a JSON payload containing emailBody, emailId, and googleToken. The destination is an anonymous personal *.workers.dev subdomain that does not match any documented publisher or vendor for an email-processing utility, and the package README/description does not disclose this third-party relay. Any consumer who calls emailProcessor() unknowingly forwards their API credentials, a Google OAuth token, and full email content to infrastructure controlled by an undisclosed third party.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "6a5aef29b4050fca18dd803428274de6072ff7412ecd134bd68dcc1f5e8fa150",
            "id": "IN-MAL-2026-004803",
            "source": "amazon-inspector",
            "modified_time": "2026-05-26T00:35:42Z",
            "versions": [
                "1.0.6"
            ],
            "import_time": "2026-05-26T05:53:18.655305022Z"
        }
    ]
}

References

https://www.npmjs.com/package/@taskd/maritime-email-processor/v/1.0.6

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / @taskd/maritime-email-processor

Package

Name: @taskd/maritime-email-processor; View open source insights on deps.dev
Purl: pkg:npm/%40taskd%2Fmaritime-email-processor

Affected ranges

Affected versions

1.*

1.0.6

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@taskd/maritime-email-processor/MAL-2026-4454.json"

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

indicators

{
    "evidence_files": [
        {
            "tlsh": "180165c6f33e29930f78328f6c2c65eb2acdc843be5d54abd10015084af9a72b454d50",
            "sha256": "ce27ecddea8a1f2abb1ad67eb81ed1a1651a9faf95493ef97943ce16b6bbeec0",
            "path": "dist/index.mjs"
        }
    ],
    "package_integrity": [
        {
            "filename": "maritime-email-processor-1.0.6.tgz",
            "hashes": {
                "sha1": "dc682a3fb6d907066ec80c42a962e9ba13304211",
                "sha512_sri": "sha512-hDqkl2XkoKMS7WTPKSFqW4hb9vEFonpuben8xKvPNCPDJ1IJ+JVU2cc5vNVOPnJym+OeY+Jg5hM9eVPsRas3vg=="
            }
        }
    ]
}