MAL-2026-4806

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/shizukyu/MAL-2026-4806.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4806

Published

2026-05-26T10:27:32Z

Modified

2026-05-26T13:47:12.399730722Z

Summary

Malicious code in shizukyu (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (31c8d6ffda18d74aa3d25ab3804e721a72dc385d89f2742d7c9e967919b27449)

The package exports a single function shizukuCh(socket) that accepts a caller's authenticated Baileys WhatsApp socket and invokes socket.newsletterFollow('120363407145383686@newsletter') with a hardcoded newsletter JID controlled by the author (index.js:4). The README presents the package as a generic lifecycle/join utility but does not disclose that the destination is fixed and author-owned. Any consumer who wires this into their connection.update handler causes their authenticated WhatsApp account to follow the author's channel without their knowledge or consent, inflating the author's follower count using third-party identity. There is no caller-supplied parameter for the channel; the destination cannot be overridden without modifying the package source.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "31c8d6ffda18d74aa3d25ab3804e721a72dc385d89f2742d7c9e967919b27449",
            "source": "amazon-inspector",
            "modified_time": "2026-05-26T10:27:32Z",
            "versions": [
                "1.0.1"
            ],
            "id": "IN-MAL-2026-004896",
            "import_time": "2026-05-26T13:32:45.961256028Z"
        }
    ]
}

References

https://www.npmjs.com/package/shizukyu/v/1.0.1

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / shizukyu

Package

Name: shizukyu; View open source insights on deps.dev
Purl: pkg:npm/shizukyu

Affected ranges

Affected versions

1.*

1.0.1

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/shizukyu/MAL-2026-4806.json"

indicators

{
    "package_integrity": [
        {
            "filename": "shizukyu-1.0.1.tgz",
            "hashes": {
                "sha1": "4fa385c84da1fe1f252ce9ff873a894438f119f3",
                "sha512_sri": "sha512-1YtydEitF1w5n64Vr0pYeftUFyIfMDGrmPaeTdSm4hIfN9W23UXYe/7t64QajETltdJZjdhDTkRC9aHbhWj/yw=="
            }
        }
    ],
    "evidence_files": [
        {
            "sha256": "9355b092d3bd83a98d051df464f72d10d0b31959f22ef983a84e4a0e2b00aabd",
            "tlsh": "f2d0a7db64f7613551a324190a5ea082f225d443010d8596b51c5e82bf463788ba0940",
            "path": "index.js"
        }
    ]
}

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]