MAL-2026-4682

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/tango-app-api-trax/MAL-2026-4682.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-4682
Withdrawn
2026-06-18T19:50:12Z
Published
2026-05-20T11:24:49Z
Modified
2026-06-26T12:26:01.949570969Z
Summary
Malicious code in tango-app-api-trax (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (e7d8f3ef8e6fa016bfc17617ebcedce012c6cce870d89564965a476c3ec8da1c)

The tarball contains live, importable credentials for systems other than the installer's own. src/controllers/internalTrax.controller.js hardcodes Lenskart POS authentication (username tango.eye, password 55eyetango123, header X-Lenskart-API-Key: valyoo123) inside the exported controllers aomupdateCollection and saleUpdateCollection, which post to webservice.pos.lenskart.com and central.pos.lenskart.com. Any consumer of this npm package can use these credentials to authenticate to Lenskart's production POS API as the tango.eye partner and read or mutate employee/store data. Additionally, fir-51e77-firebase-adminsdk-x3sdp-fd902b74ae.json ships a complete Google Cloud service account (project_id: tango-trax, client_email: firebase-adminsdk-k7lom@tango-trax.iam.gserviceaccount.com) including the BEGIN PRIVATE KEY block, granting Firebase Admin privileges over the tango-trax GCP project to anyone who pulls the package. There are no install-time lifecycle hooks; the harm is the redistribution of usable third-party credentials, not auto-execution. The ping matches in the static analysis are unrelated string occurrences in the controller and not exfiltration behavior.

Database specific
{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-05-20T11:28:53Z",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:50:47.112157677Z",
            "versions": [
                "3.9.10"
            ],
            "id": "IN-MAL-2026-003521",
            "sha256": "591ab6cb5c137b1fefb34181907f9b9eb7d798262aadf1d09ac5e936d469d110"
        },
        {
            "modified_time": "2026-05-20T11:24:49Z",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:50:46.993714311Z",
            "versions": [
                "3.9.10"
            ],
            "id": "IN-MAL-2026-003520",
            "sha256": "5c14d60a97b056e00cb3055bd07605c2f16482794e5860fee68cab46f308893d"
        },
        {
            "modified_time": "2026-06-12T19:04:44Z",
            "source": "amazon-inspector",
            "import_time": "2026-06-12T19:43:46.93326654Z",
            "versions": [
                "3.9.43"
            ],
            "id": "IN-MAL-2026-005913",
            "sha256": "4c8a53d02c48fb2675fdafcb4bedc1a372ffec81f4b51e5a947587ff9bd7c8d0"
        },
        {
            "modified_time": "2026-06-12T19:04:43Z",
            "source": "amazon-inspector",
            "import_time": "2026-06-12T19:43:46.810086937Z",
            "id": "IN-MAL-2026-005912",
            "versions": [
                "3.9.39"
            ],
            "sha256": "56ff749fcfeb03bfd58b84b3f6a525d1cfc13c3c0c9bc6f433be5a87c47ee82a"
        },
        {
            "modified_time": "2026-06-12T19:04:40Z",
            "source": "amazon-inspector",
            "import_time": "2026-06-12T19:43:46.421159582Z",
            "id": "IN-MAL-2026-005908",
            "versions": [
                "3.9.21"
            ],
            "sha256": "6f73fa77749a62c88ad6af00fead67036139af36f0396fc49e33e0e46b3465db"
        },
        {
            "modified_time": "2026-06-12T19:04:42Z",
            "source": "amazon-inspector",
            "import_time": "2026-06-12T19:43:46.622064305Z",
            "id": "IN-MAL-2026-005910",
            "versions": [
                "3.9.32"
            ],
            "sha256": "73b67187cfd04d79bb02a0caa5abbb5933425803dd317eb58d30fa9f9d817667"
        },
        {
            "modified_time": "2026-06-12T19:04:41Z",
            "source": "amazon-inspector",
            "import_time": "2026-06-12T19:43:46.533219552Z",
            "id": "IN-MAL-2026-005909",
            "versions": [
                "3.9.32"
            ],
            "sha256": "883f56cb8e1659025ca618281b73f32936557ff10e794e837bac3604ff4eae08"
        },
        {
            "modified_time": "2026-06-12T19:04:45Z",
            "source": "amazon-inspector",
            "import_time": "2026-06-12T19:43:47.043383845Z",
            "versions": [
                "3.9.43"
            ],
            "id": "IN-MAL-2026-005914",
            "sha256": "e434eeea1e86591e8b74ef3db615d94fa39cc931756cc1d6f3ad0e614c465364"
        },
        {
            "modified_time": "2026-06-12T19:04:43Z",
            "source": "amazon-inspector",
            "import_time": "2026-06-12T19:43:46.718354218Z",
            "versions": [
                "3.9.39"
            ],
            "id": "IN-MAL-2026-005911",
            "sha256": "e7d8f3ef8e6fa016bfc17617ebcedce012c6cce870d89564965a476c3ec8da1c"
        },
        {
            "modified_time": "2026-06-12T19:04:39Z",
            "source": "amazon-inspector",
            "import_time": "2026-06-12T19:43:46.307105922Z",
            "versions": [
                "3.9.21"
            ],
            "id": "IN-MAL-2026-005907",
            "sha256": "0817dca8f1b99d1569ea4cd127a509e41e922c518356eeaae071a70585840f12"
        },
        {
            "modified_time": "2026-06-15T19:51:09Z",
            "source": "amazon-inspector",
            "import_time": "2026-06-15T20:14:27.899469605Z",
            "id": "IN-MAL-2026-006688",
            "versions": [
                "3.9.45"
            ],
            "sha256": "5c83c2a0f33cb7c69d2bc22cf4fe27db725e1f6507b4dd3e53fb27b1247e0f89"
        },
        {
            "modified_time": "2026-06-15T19:51:09Z",
            "source": "amazon-inspector",
            "import_time": "2026-06-15T20:14:27.807545212Z",
            "versions": [
                "3.9.47"
            ],
            "id": "IN-MAL-2026-006687",
            "sha256": "deb6a7f427c5a783c85ec35bb7cc43c33922a1fb5303ff90e50991057c323f0f"
        }
    ]
}
References
Credits

Affected packages

npm / tango-app-api-trax

Package

Affected ranges

Affected versions

3.*
3.9.10
3.9.21
3.9.32
3.9.39
3.9.43
3.9.45
3.9.47

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "tango-app-api-trax-3.9.10.tgz",
            "hashes": {
                "sha512_sri": "sha512-SZqZsjKxX/XdkW4UjhHMV3j9yLIiYGRp2moMmPbfl+k9/xBA+pwHvEIP/9qUh+TW2xHTCuIgj6QDf+14ygI18w==",
                "sha1": "a98e4697332d4385a6222734a9cedb6db97cbd94"
            }
        }
    ],
    "domains": [
        "34.7.16.104.in-addr.arpa",
        "github.com",
        "release-assets.githubusercontent.com",
        "storage.googleapis.com"
    ],
    "evidence_files": [
        {
            "tlsh": "9e41eab30a84a1e38a7081e21a0ae617b5555f2d1f19a8ee53f600b0dcc9be9111f742",
            "path": "fir-51e77-firebase-adminsdk-x3sdp-fd902b74ae.json",
            "sha256": "1665a44f88c2bedd03ba4123af91ec2ce38d87ea908b6bd3258f190e96f40ce1"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/tango-app-api-trax/MAL-2026-4682.json"
cwes
[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]