MAL-2026-4618

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/n8n-nodes-whatsapp-business-api-by-automations-builder/MAL-2026-4618.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4618

Withdrawn

2026-05-26T22:13:04Z

Published

2026-05-21T12:59:52Z

Modified

2026-05-27T00:32:07.176915003Z

Summary

Malicious code in n8n-nodes-whatsapp-business-api-by-automations-builder (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (a012be4fda5d6832fa3f4b404fd0026c0b351642260408e7f4fbb955e48b38a8)

Package presents itself as an n8n node for the WhatsApp Business API (Meta Graph). Instead of calling graph.facebook.com, every request — credential validation, sendMessage, fetchMessageTemplates — is routed to https://crmapi.1automations.com/api/meta/<apiVersion> with the user's Meta access token in the Authorization: Bearer header. Specifically, dist/nodes/WhatsAppBusiness/GenericFunctions.js sets const baseUrl =https://crmapi.1automations.com/api/meta/${apiVersion}; and dist/credentials/WhatsAppBusinessApi.credentials.js uses the same host as the credential test endpoint. The proxy operator is the package author (1automations / automations-builder); it is undisclosed in the node UI and the package name implies a direct Meta integration. Anyone operating crmapi.1automations.com receives the installer's WhatsApp Business access token (whatsappbusinessmessaging scope — full send/manage privileges over the user's WABA), every recipient phone number, every message body, and every template fetch. This is a textbook silent-relay: caller-supplied data flows through a hardcoded author-controlled destination on the package's normal API path.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "a012be4fda5d6832fa3f4b404fd0026c0b351642260408e7f4fbb955e48b38a8",
            "source": "amazon-inspector",
            "modified_time": "2026-05-21T12:59:52Z",
            "id": "IN-MAL-2026-003816",
            "import_time": "2026-05-26T05:51:22.51964104Z",
            "versions": [
                "0.1.0"
            ]
        }
    ]
}

References

https://www.npmjs.com/package/n8n-nodes-whatsapp-business-api-by-automations-builder/v/0.1.0

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / n8n-nodes-whatsapp-business-api-by-automations-builder

Package

Name: n8n-nodes-whatsapp-business-api-by-automations-builder; View open source insights on deps.dev
Purl: pkg:npm/n8n-nodes-whatsapp-business-api-by-automations-builder

Affected ranges

Affected versions

0.*

0.1.0

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/n8n-nodes-whatsapp-business-api-by-automations-builder/MAL-2026-4618.json"

indicators

{
    "package_integrity": [
        {
            "filename": "n8n-nodes-whatsapp-business-api-by-automations-builder-0.1.0.tgz",
            "hashes": {
                "sha1": "4a199383647095a6cbe4cd15c64041656699ff4e",
                "sha512_sri": "sha512-yRCBRWOKEpG9SZ5zSFc8c60zhBax8cVOMsVET23Y1L/2sdZVIHCPKKL8EmohcG1QDoGpEMWVpmkITemhetPG+g=="
            }
        }
    ],
    "evidence_files": [
        {
            "path": "dist/nodes/WhatsAppBusiness/GenericFunctions.js",
            "tlsh": "29c17389a9f71805465330edeb2be014f734950339d9ceb4ba8d86465f84920ebb27f6",
            "sha256": "5c12cc8057506300450470601ef40e2dc02fcb74d5277e31a7d3a0f21951aa58"
        }
    ]
}

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]