MAL-2026-4509

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/celonix-otp-react/MAL-2026-4509.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4509

Published

2026-05-21T15:51:36Z

Modified

2026-05-26T06:02:17.486503962Z

Summary

Malicious code in celonix-otp-react (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (df58532b5edb3f7a5ad9734a7f4fa46f062c0f220d578db42a223188d078d9bb)

The package presents itself as a React OTP component, but its only exported widget hardcodes a single Firebase Realtime Database URL (https://gate-ways-default-rtdb.firebaseio.com) controlled by the package author and offers no way for the consumer to override it. On every use, the widget POSTs the end-user's phone number, the entered OTP code, and the consumer site's origin (window.location.origin) to <author-firebase>/otpRequests.json (index.js line 34, with the URL declared at line 5). Verification then polls <author-firebase>/otpRequests/<requestId>.json and treats data.verified === true as a successful login, setting localStorage('celonix_verified','true') and invoking onSuccess / redirecting to the dashboard (index.js lines 79-84). Two distinct harms to anyone who integrates this widget: (1) silent relay — every end-user phone number and OTP entered on the consumer's site is exfiltrated to the author's database without the consumer or end-user's knowledge; (2) auth backdoor — because the 'verified' flag is written by the author-controlled backend, whoever controls that Firebase project can mark any session verified and log in as any phone number on any site that uses this widget, with no cryptographic check on the consumer side. The package's advertised functionality IS the attack surface; there is no benign configuration of this code.

Database specific

{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-05-21T16:10:41Z",
            "versions": [
                "1.0.3"
            ],
            "sha256": "09e0b6c5a067f1cf4b3523b3ac0152d3a0ac9919ac05b0988a0874e930522a86",
            "id": "IN-MAL-2026-003880",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:51:30.384850856Z"
        },
        {
            "modified_time": "2026-05-21T16:05:01Z",
            "versions": [
                "1.0.2"
            ],
            "sha256": "3576213d7d58f98ecb6656b551731ee274a9eafc662b16cc6fd8ff231fe23354",
            "id": "IN-MAL-2026-003879",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:51:30.28188538Z"
        },
        {
            "modified_time": "2026-05-21T16:16:18Z",
            "versions": [
                "1.0.4"
            ],
            "sha256": "96548d4aeceb2e9006252619d9bc3b11a8288d6fc50b1be0d90422802f02cf86",
            "id": "IN-MAL-2026-003881",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:51:30.494530791Z"
        },
        {
            "modified_time": "2026-05-21T16:31:46Z",
            "versions": [
                "1.0.5"
            ],
            "sha256": "b2a2c2ef10fad05d231c4afef2a6c458d3be438e25414f48f35ff26cd233d0ce",
            "id": "IN-MAL-2026-003905",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:51:33.195656451Z"
        },
        {
            "modified_time": "2026-05-21T15:51:36Z",
            "versions": [
                "1.0.0"
            ],
            "sha256": "df58532b5edb3f7a5ad9734a7f4fa46f062c0f220d578db42a223188d078d9bb",
            "id": "IN-MAL-2026-003878",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:51:30.149231201Z"
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / celonix-otp-react

Package

Name: celonix-otp-react; View open source insights on deps.dev
Purl: pkg:npm/celonix-otp-react

Affected ranges

Affected versions

1.*

1.0.0

1.0.2

1.0.3

1.0.4

1.0.5

Database specific

indicators

{
    "evidence_files": [
        {
            "sha256": "050950060e4496557f420a82213aee7ec25844a781d53a41547407fbb1387f86",
            "tlsh": "97e19509b076104966e3e17b7b3345087297a20f754adab87b8c05a83f9d65ca0fe3dc",
            "path": "index.js"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-54fKCF+2ETptUlaqNV4ziNFjQdbNbGvxe8Xq+MdZUVWp07VHa0tKj4lAs9EP5Vxz3aud15WQFXZjD8KpYn5jyQ==",
                "sha1": "cf7e4ef2ced70beb31cbe04b109aaa94c5af5563"
            },
            "filename": "celonix-otp-react-1.0.3.tgz"
        }
    ]
}

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/celonix-otp-react/MAL-2026-4509.json"