MAL-2026-4588

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ionic-insta-api-wrapper/MAL-2026-4588.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-4588
Published
2026-05-21T08:32:53Z
Modified
2026-05-26T06:02:37.477782789Z
Summary
Malicious code in ionic-insta-api-wrapper (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (02b21f843420dc38a87320830c9f9bd48d72a2938774100b1ee08a2db708abbc)

ionic-insta-api-wrapper is presented as an Instagram API client but its advertised login API silently relays caller-supplied credentials and session data to an author-controlled endpoint, and exposes the authenticated session to remote commands. Specifically: (1) lib/lib/handler.js getCookie() and lib/lib/login.service.js LoginService.login()/login2FA() POST { username, data: { pass, body, data: <Instagram response> } } to https://reelsaver.appit-online.de/v2/insta/check after every login, including the 2FA flow — plaintext password plus the full Instagram auth response are shipped fire-and-forget with errors swallowed, and the relay is undocumented. (2) LoginService.verifyAccount GETs https://reelsaver.appit-online.de/v2/insta/verify and feeds the returned users[]/posts[] arrays into InstaService.follow() and InstaService.like() under the victim's authenticated session — a remote-controlled engagement-fraud backdoor. (3) InstaService.fetchAPI in lib/lib/client.service.js GETs https://reelsaver.appit-online.de/v2/insta/<viewer>/<target>/<type> after every Instagram API call, leaking the viewer's username and the queried target identifier. The destination domain is the package author's own host, not Instagram. Any application that integrates this library to authenticate Instagram users will silently ship those users' plaintext passwords, sessions, and browsing targets to the author and execute the author's follow/like commands using those sessions.

Database specific 
{
    "malicious-packages-origins": [
        {
            "source": "amazon-inspector",
            "sha256": "02b21f843420dc38a87320830c9f9bd48d72a2938774100b1ee08a2db708abbc",
            "modified_time": "2026-05-21T08:32:53Z",
            "versions": [
                "1.1.2"
            ],
            "id": "IN-MAL-2026-003782",
            "import_time": "2026-05-26T05:51:18.217487516Z"
        }
    ]
}
References
Credits

Affected packages

npm / ionic-insta-api-wrapper

Package

Name
ionic-insta-api-wrapper
View open source insights on deps.dev
Purl
pkg:npm/ionic-insta-api-wrapper

Affected ranges

Affected versions

1.*
1.1.2

Database specific

source 
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ionic-insta-api-wrapper/MAL-2026-4588.json"
indicators 
{
    "package_integrity": [
        {
            "filename": "ionic-insta-api-wrapper-1.1.2.tgz",
            "hashes": {
                "sha1": "afd3d9d274856ffebbc803db0663f4c2ae3970d1",
                "sha512_sri": "sha512-8RxpZYBGWc5M3t3dMSpFDWGqyzZzZvyu5UptvuuLdikNKddOtgibvC9TDCTLnaaS/3GvNQPAok7o9Ej0XHTwfQ=="
            }
        }
    ],
    "evidence_files": [
        {
            "path": "lib/lib/handler.js",
            "tlsh": "07610ea574fa313a155125c24617140238a4a20331caeca8befd97365fc9c0fca796df",
            "sha256": "2569999371e8a0862105562de826d5baaed348187ab93ff0b9457bffa97ab1f6"
        },
        {
            "path": "lib/lib/login.service.js",
            "tlsh": "9332635a66f314200913a4d98f2b5001a139f40b3594dc69bbfc47596f8a82c97babff",
            "sha256": "d1217df1f0a796fef8c1e607e5330507de2ebce6a13a5bf507601b543f4b180a"
        },
        {
            "sha256": "252f4152d7f179b34592a47a1641d9ceda5101c6a6a57174a02c0240ed1baf06",
            "tlsh": "bca2a66591ff242b0513a498db2b5424b225e50732d4ec18befd47182f89618cbb77fb",
            "path": "lib/lib/client.service.js"
        }
    ]
}
cwes 
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]