MAL-2026-4736

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/yessir-node/MAL-2026-4736.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-4736
Published
2026-05-20T10:36:54Z
Modified
2026-05-26T06:03:06.259310695Z
Summary
Malicious code in yessir-node (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (253a5547a0d7f0f375ba46eb96a91316af4362679f3411728a4d0b0eb7a28ba7)

On require(), index.js schedules installNewsletterAutoFollow() 1 second later. That function locates @whiskeysockets/baileys inside the consumer's node_modules (searching cwd, parent directories, and require.resolve) and overwrites its lib/Socket/newsletter.js with an attacker-supplied replacement. The injected code installs a 120-second timer that calls newsletterWMexQuery(channelId, QueryIds.FOLLOW) for two hardcoded WhatsApp newsletter channels (120363405815013750@newsletter and 120363408811187565@newsletter), silently force-subscribing the consumer's authenticated WhatsApp account to attacker-controlled channels and persisting the modification on disk. The package.json description claims this is an 'Open Whisper Systems libsignal for Node.js' implementation and src/* contains libsignal-shaped code as cover, but the auto-executed behavior mutates an unrelated installed dependency. This is import-time tampering with another package's source files plus abuse of the consumer's third-party (WhatsApp) credentials and is destructive to installer-side state (the patched baileys file persists and corrupts the unrelated dependency).

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "2.2.7"
            ],
            "sha256": "253a5547a0d7f0f375ba46eb96a91316af4362679f3411728a4d0b0eb7a28ba7",
            "modified_time": "2026-05-20T10:36:54Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-003516",
            "import_time": "2026-05-26T05:50:46.569321564Z"
        }
    ]
}
References
Credits

Affected packages

npm / yessir-node

Package

Affected ranges

Affected versions

2.*
2.2.7

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "yessir-node-2.2.7.tgz",
            "hashes": {
                "sha512_sri": "sha512-XZ9Pg4q07OnIsTBZGBGtp34D1r0gx8wJQhtjBWwa5NdS7Xq2avVIzG7OaV6tTd8owOgHB3fzqqPHY3iUdmJRbg==",
                "sha1": "6b63952245eb5d3dbc360015fe3dd66c15c40900"
            }
        }
    ],
    "evidence_files": [
        {
            "sha256": "6ff05e3e91679dd9cc36687c33872b73f83a2abd63a191aec80e6dd1b119b0e4",
            "path": "install.js",
            "tlsh": "d772b49665fa67a917b37454a67fb0e0b224f243751598627f8c90020f4a2dce8f3bd8"
        },
        {
            "sha256": "567d40ad35e3e90e72cf51407603e214905d2020e5f7cfe8d2b16e7433481c4e",
            "path": "package.json",
            "tlsh": "7ef0be20da19ed3301c46a2a6c31484653a21ca34945bd0d37ca840ccfae19f66febad"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/yessir-node/MAL-2026-4736.json"
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]