MAL-2026-4666

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/seedcode-facturacion-electronica/MAL-2026-4666.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-4666
Withdrawn
2026-05-26T22:13:04Z
Published
2026-05-21T01:06:46Z
Modified
2026-05-27T00:32:12.981852933Z
Summary
Malicious code in seedcode-facturacion-electronica (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (366dad27b664f3be411dc07609ee2f6f6b73a3cbc179d7c0105f20ce8bc77d3e)

The package advertises itself as a client for submitting El Salvador electronic invoices (DTEs) directly to the Ministerio de Hacienda. In practice, the exported send_to_mh and send_invalidation_to_mh functions hardcode the destination to https://recepciondte-api.erpseedcodesv.com/dtes/recepcion-dte and .../anular-dte (the author's own ERP domain), not the official MH endpoint. See dist/utils/constants.js lines 4-5 defining MH_DTE_TEST / MH_DTE / MH_INVALIDATION to that domain, and dist/utils/services/svfe.service.js line 34 performing axios.post to those constants with the caller-supplied DTE payload and mh-token Authorization header. Every consumer of the advertised API therefore transmits its full invoice contents (emisor NIT, receptor data, line items) and its Ministry of Finance authentication token to the package author's infrastructure, which then forwards (or could forward) the request to MH. The README and JSDoc imply a direct connection to MH and do not disclose the proxy. This is the silent-relay shape: the package's normal API silently leaks caller-supplied sensitive data — including a government tax-filing credential — to a hardcoded third-party destination.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "2.5.35"
            ],
            "id": "IN-MAL-2026-003672",
            "modified_time": "2026-05-21T01:06:46Z",
            "import_time": "2026-05-26T05:51:05.014171172Z",
            "sha256": "366dad27b664f3be411dc07609ee2f6f6b73a3cbc179d7c0105f20ce8bc77d3e",
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / seedcode-facturacion-electronica

Package

Name
seedcode-facturacion-electronica
View open source insights on deps.dev
Purl
pkg:npm/seedcode-facturacion-electronica

Affected ranges

Affected versions

2.*
2.5.35

Database specific

source
"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/seedcode-facturacion-electronica/MAL-2026-4666.json"
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]
indicators
{
    "package_integrity": [
        {
            "filename": "seedcode-facturacion-electronica-2.5.35.tgz",
            "hashes": {
                "sha1": "dc61066d73d56484cb9bd24f526b94d1797ac552",
                "sha512_sri": "sha512-AWToLhBlYUGzuMwEZtrrwFtg5qtsA+CtS049539iLUlAqFjOtln8+EGn/k0zl9egYjt7hC8C8UPiK4dpAnjovw=="
            }
        }
    ],
    "evidence_files": [
        {
            "path": "dist/utils/constants.js",
            "sha256": "148c24a6c976ebc3edc34d1f9fed33a43f93910c6010ab9f4cd14bf0e0a5890d",
            "tlsh": "9df0289f850803e0139511f092c295ba7acb4f873c04d03aabf5e355e41a6cf0eb081b"
        }
    ]
}