MAL-2026-4552

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/etherproxy-lite/MAL-2026-4552.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-4552
Withdrawn
2026-05-26T18:39:44Z
Published
2026-05-25T20:30:38Z
Modified
2026-05-27T00:32:12.928902735Z
Summary
Malicious code in etherproxy-lite (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (5756836b470f645f316696cbaedb1aedc21cde7fc921714bfbf70f2d528ad5b4)

The bundled dist/index.js reads process.env values and posts data to https://api.telegram.org via a hardcoded fetch call (line 97), with additional POST/fetch primitives at lines 63, 69, and 98. The Telegram bot API endpoint pattern (api.telegram.org/bot<token>/sendMessage) is a well-documented exfiltration channel used to deliver harvested credentials and host data to an attacker-controlled bot, leveraging Telegram's TLS infrastructure to defeat domain blocking. Combined with the require("fs") + require("http") + process.env reads in the same module, the package's behavior is environment harvesting and outbound exfiltration on use. Installing or loading this package routes installer-side environment variables to an attacker-controlled Telegram bot.

Database specific 
{
    "malicious-packages-origins": [
        {
            "import_time": "2026-05-26T05:53:15.405599672Z",
            "versions": [
                "0.6.0"
            ],
            "modified_time": "2026-05-25T20:30:38Z",
            "id": "IN-MAL-2026-004774",
            "sha256": "5756836b470f645f316696cbaedb1aedc21cde7fc921714bfbf70f2d528ad5b4",
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / etherproxy-lite

Package

Name
etherproxy-lite
View open source insights on deps.dev
Purl
pkg:npm/etherproxy-lite

Affected ranges

Affected versions

0.*
0.6.0

Database specific

indicators 
{
    "package_integrity": [
        {
            "filename": "etherproxy-lite-0.6.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-Uusjn+Clj5DV0PXfxDhfyMFueFDEloQ2fUZY0w8f9JDpkKa6EXBrnwQoJnzXeZ0IDQZwXJUSlJIBCPgeNAcwBw==",
                "sha1": "3b757caf88719e144bb4a49f44f69f0c864ba628"
            }
        }
    ],
    "evidence_files": [
        {
            "path": "dist/index.js",
            "sha256": "e2925e7f33601556ea6ddc85e61bccf598e104b64ee779ab0f3677d91e19dd57",
            "tlsh": "a79153451ff380f221f3116bb65756022a56e12336aedde47bcc97ae1f81a548b603cd"
        }
    ]
}
cwes 
[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]
source 
"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/etherproxy-lite/MAL-2026-4552.json"