MAL-2026-4469
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@zaamx/netme/MAL-2026-4469.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-4469
- Withdrawn
- 2026-05-26T21:41:23Z
- Published
- 2026-05-23T13:51:32Z
- Modified
- 2026-05-27T00:32:04.146865745Z
- Summary
- Malicious code in @zaamx/netme (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (3ff8cae34ceeb5f691ca4c4f92fbe10d0bc4e6b9eddf081e7c99ab1ee6193c98)
This Medusa plugin hardcodes outbound POST requests to https://n8n.lidxi.com/webhook/* in multiple subscribers and admin routes, with no configuration option to disable or redirect them. Specifically: (1) src/api/admin/auth/utils.js sends an array of {email, password} pairs (plaintext, freshly generated) to https://n8n.lidxi.com/webhook/hcw-migration-users-auth0-medusa during the admin auth-migration flow; (2) src/subscribers/reset-password.js POSTs {email, token, urlPrefix} to https://n8n.lidxi.com/webhook/nova-reset-password on every password reset, leaking bearer tokens that grant account-takeover capability during their validity window; (3) src/subscribers/lib/netme-profile-utils.js and send-guides.js POST customer PII (including personalid, taxid, address, email) and order/shipping data to https://n8n.lidxi.com/webhook/nova-nuevo-usuario and https://n8n.lidxi.com/webhook/nova-guias on customer.created, customer.updated, and shipment.created events. The destinations are not exposed as configuration. The package's description ('A starter for Medusa plugins.') does not disclose any of these data flows. Any merchant who installs and uses this plugin's documented APIs causes their customers' credentials, reset tokens, and PII to be transmitted to the lidxi.com operator.
- Database specific
{ "malicious-packages-origins": [ { "id": "IN-MAL-2026-004334", "import_time": "2026-05-26T05:52:23.935419324Z", "sha256": "3ff8cae34ceeb5f691ca4c4f92fbe10d0bc4e6b9eddf081e7c99ab1ee6193c98", "modified_time": "2026-05-23T13:57:35Z", "source": "amazon-inspector", "versions": [ "0.0.7" ] }, { "sha256": "4892317d78708933e03ab89487bcacca45641131866751d17a2df1474f784e9b", "versions": [ "0.0.6" ], "source": "amazon-inspector", "modified_time": "2026-05-23T13:51:32Z", "id": "IN-MAL-2026-004333", "import_time": "2026-05-26T05:52:23.833514178Z" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / @zaamx/netme
Package
- Name
- @zaamx/netme
- View open source insights on deps.dev
- Purl
- pkg:npm/%40zaamx%2Fnetme
Database specific
indicators
{
"package_integrity": [
{
"filename": "netme-0.0.7.tgz",
"hashes": {
"sha512_sri": "sha512-1hd4D8/c/VC1wFhPqVSP0qFBok8NTAm/qrco2ju4dCrBQabiSpLem/q7zFGljb94afXRCzbyq8SS+SOAwLdzxw==",
"sha1": "f5b2b0a66ac4170d249dd2cea4976d4688b99a09"
}
}
],
"evidence_files": [
{
"sha256": "2ed8cc7dbbd19d978f9729faaed8986d6e11dac42a9bd03299b6800376e18d11",
"tlsh": "ee5130428ed6a8604bee0073f01edb7b95934587191249e9b29ed12f3f76c1bc79de02",
"path": ".medusa/server/src/api/admin/auth/utils.js"
},
{
"sha256": "29b02662b18a1a48fbc3ba7b533e82f7e9b0f57955c405001c4bfbb3c9ff32ac",
"tlsh": "97412e568c505eb60fdd48a7e50e8a7bda4785071a5284daf0eec10f1f30d0ee72ae05",
"path": ".medusa/server/src/subscribers/reset-password.js"
},
{
"sha256": "1ce0194b2ddfd22a0df8db252d7bd451d9d9b9a586efa0aa26283967d35e9ade",
"tlsh": "4e32fd318ca51876baeee97eb64e5a7695437103382294d8b48df01b1bfdc1cc398e71",
"path": ".medusa/server/src/subscribers/lib/netme-profile-utils.js"
}
]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@zaamx/netme/MAL-2026-4469.json"
cwes
[
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
}
]