MAL-2026-4682

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/tango-app-api-trax/MAL-2026-4682.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-4682
Published
2026-05-20T11:24:49Z
Modified
2026-05-26T06:02:57.889049302Z
Summary
Malicious code in tango-app-api-trax (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (5c14d60a97b056e00cb3055bd07605c2f16482794e5860fee68cab46f308893d)

The package tarball includes a Google Cloud service-account JSON file (fir-51e77-firebase-adminsdk-x3sdp-fd902b74ae.json) containing a live RSA private key for the service account firebase-adminsdk-k7lom@tango-trax.iam.gserviceaccount.com in the tango-trax Firebase/GCP project. Any installer receives admin credentials in their node_modules and can authenticate against the project's Firestore, Realtime Database, FCM, Auth, and Storage with full Admin SDK privileges — meaning end-users of the Tango/Trax service can be read or modified by anyone who installs this package. This is third-party credential redistribution, distinct from author self-harm: the credentials grant access to a production system holding other users' data, not just to the author's personal accounts. The package additionally hardcodes an AWS Lambda function URL (https://f65azvtljclaxp6l7rnx65cdmm0lcgvp.lambda-url.ap-south-1.on.aws) referenced from POST/fetch calls in src/controllers/teaxFlag.controller.js, indicating the package is an internal backend that should never have been published to a public registry.

Database specific 
{
    "malicious-packages-origins": [
        {
            "sha256": "591ab6cb5c137b1fefb34181907f9b9eb7d798262aadf1d09ac5e936d469d110",
            "modified_time": "2026-05-20T11:28:53Z",
            "id": "IN-MAL-2026-003521",
            "versions": [
                "3.9.10"
            ],
            "import_time": "2026-05-26T05:50:47.112157677Z",
            "source": "amazon-inspector"
        },
        {
            "sha256": "5c14d60a97b056e00cb3055bd07605c2f16482794e5860fee68cab46f308893d",
            "modified_time": "2026-05-20T11:24:49Z",
            "id": "IN-MAL-2026-003520",
            "import_time": "2026-05-26T05:50:46.993714311Z",
            "versions": [
                "3.9.10"
            ],
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / tango-app-api-trax

Package

Name
tango-app-api-trax
View open source insights on deps.dev
Purl
pkg:npm/tango-app-api-trax

Affected ranges

Affected versions

3.*
3.9.10

Database specific

indicators 
{
    "domains": [
        "34.7.16.104.in-addr.arpa",
        "github.com",
        "release-assets.githubusercontent.com",
        "storage.googleapis.com"
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha1": "a98e4697332d4385a6222734a9cedb6db97cbd94",
                "sha512_sri": "sha512-SZqZsjKxX/XdkW4UjhHMV3j9yLIiYGRp2moMmPbfl+k9/xBA+pwHvEIP/9qUh+TW2xHTCuIgj6QDf+14ygI18w=="
            },
            "filename": "tango-app-api-trax-3.9.10.tgz"
        }
    ],
    "evidence_files": [
        {
            "path": "fir-51e77-firebase-adminsdk-x3sdp-fd902b74ae.json",
            "sha256": "1665a44f88c2bedd03ba4123af91ec2ce38d87ea908b6bd3258f190e96f40ce1",
            "tlsh": "9e41eab30a84a1e38a7081e21a0ae617b5555f2d1f19a8ee53f600b0dcc9be9111f742"
        }
    ]
}
cwes 
[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source 
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/tango-app-api-trax/MAL-2026-4682.json"