MAL-2026-4656

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/raise-common-lib/MAL-2026-4656.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4656

Published

2026-05-25T09:43:45Z

Modified

2026-05-26T06:02:52.539026958Z

Summary

Malicious code in raise-common-lib (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (7401fb7c3259e43181ef51ca47b984450f7a849fed5a9598e6131b4c0ed5d2bb)

The package's rich-text editor module hardcodes an Azure OpenAI endpoint (https://aidevused.openai.azure.com/) and an api-key in esm2015/lib/form/richtexteditor/ai-config.js (and in the UMD bundle bundles/raise-common-lib.umd.js around lines 38398-38416). When a consuming application invokes the editor's AI features (Rephrase / Grammar / Summarize / Translate / SentimentAnalysis via OpenAiModelRTE, getAzureChatAIRequest, getAzureTextAIRequest), the user-supplied text is fetch-POSTed to that endpoint with the embedded api-key header. The destination is not configurable by the installer or the consumer's end user, so any text passed through the AI editor actions is routed to a third-party Azure account controlled by the package author. Two installer-impacting consequences result: (1) caller-supplied editor content is silently relayed to an account the installer never agreed to send data to, and (2) the embedded Azure OpenAI api-key ships in every consumer bundle, so anyone who installs the package can extract the key and use it against Azure (consuming quota, abusing billing, or impersonating that account when querying logs).

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "7401fb7c3259e43181ef51ca47b984450f7a849fed5a9598e6131b4c0ed5d2bb",
            "modified_time": "2026-05-25T09:43:45Z",
            "id": "IN-MAL-2026-004615",
            "import_time": "2026-05-26T05:52:57.163168526Z",
            "versions": [
                "0.0.249"
            ],
            "source": "amazon-inspector"
        }
    ]
}

References

https://www.npmjs.com/package/raise-common-lib/v/0.0.249

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / raise-common-lib

Package

Name: raise-common-lib; View open source insights on deps.dev
Purl: pkg:npm/raise-common-lib

Affected ranges

Affected versions

0.*

0.0.249

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/raise-common-lib/MAL-2026-4656.json"

cwes

[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]

indicators

{
    "package_integrity": [
        {
            "hashes": {
                "sha1": "28d9cc4cdb07ea5baa25ebaa39c5551ec08a4592",
                "sha512_sri": "sha512-ZhCxSNKzUrxuIdM1LwV2xIH/Bd615UDBHA8LlfCR8hd6aZqyaLkWj6qIGg8ZIfghbwNcuiUplUnH6r4E5O8udQ=="
            },
            "filename": "raise-common-lib-0.0.249.tgz"
        }
    ],
    "evidence_files": [
        {
            "path": "esm2015/lib/form/richtexteditor/ai-config.js",
            "sha256": "0efdf93e08324ee98788107e7d680c65a177a4e5fb2ee2241fa6f64e2bf722aa",
            "tlsh": "5cb1c89f5adda521f6f5af72fb0ac5fcfa560a4b0d4a00c8744fa1961b70d1c8321d68"
        }
    ]
}