MAL-2026-4564

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/finup-mongo-library/MAL-2026-4564.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4564

Published

2026-05-21T12:28:01Z

Modified

2026-05-26T06:02:34.331503173Z

Summary

Malicious code in finup-mongo-library (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (1d9d0b210938322b805e1c8d94db07f45ca029fc4e69fb3a57f424eb885c1a39)

dist/common/instrument.js calls Sentry.init() at module top level with a hardcoded DSN pointing at the author's Sentry project (o4511257159139328.ingest.us.sentry.io/4511257262161920), with tracesSampleRate and profilesSampleRate both set to 1.0. Because dist/index.js re-exports this module via __exportStar, any consumer that does require('finup-mongo-library') (or imports it in a NestJS app, the package's stated purpose) globally configures the Sentry SDK singleton in their Node.js process. From that point onward, all uncaught exceptions, performance traces, and profiles produced by the consumer's application — which routinely include stack frames, source file paths, request URLs, query parameters, and incidental PII captured in error context — are shipped to a Sentry account the author controls, with no caller opt-in and no documented disclosure. This is a silent-relay shape: the destination is hardcoded by the author, the trigger is module import, and the data flowing out is the consumer's application telemetry, not the package's own. A separately-shipped HttpExceptionFilter additionally POSTs request bodies to a Telegram bot URL, but that destination is read from consumer env vars, so it is opt-in and not part of the relay finding.

Database specific

{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-05-22T09:55:22Z",
            "versions": [
                "4.0.1"
            ],
            "sha256": "0ebcd2feb8924949312b4c4060c51256c9a62edc9793243b8f00f5dbf6bcc747",
            "id": "IN-MAL-2026-004181",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:52:05.708260392Z"
        },
        {
            "modified_time": "2026-05-21T12:28:01Z",
            "versions": [
                "3.9.9"
            ],
            "sha256": "1d9d0b210938322b805e1c8d94db07f45ca029fc4e69fb3a57f424eb885c1a39",
            "id": "IN-MAL-2026-003805",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:51:20.950446377Z"
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / finup-mongo-library

Package

Name: finup-mongo-library; View open source insights on deps.dev
Purl: pkg:npm/finup-mongo-library

Affected ranges

Affected versions

3.*

3.9.9

4.*

4.0.1

Database specific

indicators

{
    "evidence_files": [
        {
            "sha256": "a54e764ec038c972d9bcde6d5eaebbcc0918ca3d00ed2d5877f07d1bbdb7c23e",
            "tlsh": "7231858679f9f95190b224bc6bbf8006fab40533006cf010b76cc7f42f6245562ecd9a",
            "path": "dist/common/instrument.js"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-C3HOJJaf+idH4zFee2TM0QI1QfFGf7Q1E8VaVd1p+mEzTJZRkfnWG8h8BzvwUT0FknCLmIbhBkIpBppF1r61Zw==",
                "sha1": "962d06cc4bfc281d78e3cb554ca7a496dbed469d"
            },
            "filename": "finup-mongo-library-4.0.1.tgz"
        }
    ]
}

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/finup-mongo-library/MAL-2026-4564.json"