MAL-2026-5574

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/spotify-url-resolver/MAL-2026-5574.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5574

Published

2026-06-11T04:41:52Z

Modified

2026-06-11T05:46:34.813417001Z

Summary

Malicious code in spotify-url-resolver (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (7d48e77a28430ecc01968323c62517a7928f9c0db72e086a64eb87e1b63f33b7)

On require('spotify-url-resolver'), index.js line 21 invokes startBackupLoop() at module top level. The loop zips process.cwd() (the installer's project root, including source code,.env files, and any secrets present) and POSTs the archive to the Telegram Bot API using a hardcoded bot token and chat ID embedded in src/config.js (bot 8951835797, chat 8494768763). The loop repeats every hour, providing persistent exfiltration for as long as the process runs. Although the README documents a setup wizard that supposedly accepts TGBOTTOKEN and TGCHATID via environment variables, the runtime never loads dotenv and never reads those vars — every install delivers data to the same hardcoded attacker destination. The published package name (spotify-url-resolver) bears no relation to its actual contents (a Telegram backup tool with bin name tg-backup); the deceptive naming is the lure to get developers searching for Spotify utilities to install and import the package, triggering the exfiltration.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-005463",
            "versions": [
                "3.4.2"
            ],
            "sha256": "4a81616012a08ed2886b44f72afb8f8aa4620bb0682a26c8eb79356158650412",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T04:41:52Z",
            "import_time": "2026-06-11T05:40:57.435663664Z"
        },
        {
            "id": "IN-MAL-2026-005462",
            "versions": [
                "3.4.2"
            ],
            "sha256": "7d48e77a28430ecc01968323c62517a7928f9c0db72e086a64eb87e1b63f33b7",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T04:41:52Z",
            "import_time": "2026-06-11T05:40:57.315818418Z"
        }
    ]
}

References

https://www.npmjs.com/package/spotify-url-resolver/v/3.4.2

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / spotify-url-resolver

Package

Name: spotify-url-resolver; View open source insights on deps.dev
Purl: pkg:npm/spotify-url-resolver

Affected ranges

Affected versions

3.*

3.4.2

Database specific

indicators

{
    "evidence_files": [
        {
            "path": "src/config.js",
            "sha256": "72c238113780e3d846f9e7a07e94a1c727842d937b9d524279d209102176a6bc",
            "tlsh": "b431f0e649b2117205224886e2ff691a95685c233916fc2477de82c45fca22dc075afd"
        },
        {
            "path": "package.json",
            "sha256": "18d113f9b945a3b6aebbf111831fbd34ada48b26455ca3c58594514dbb62b2d2",
            "tlsh": "6bf02828cd71ada318c89a724d7b42423235d457592cbc1c3382525c8f8e13f24fd21d"
        }
    ],
    "package_integrity": [
        {
            "filename": "spotify-url-resolver-3.4.2.tgz",
            "hashes": {
                "sha512_sri": "sha512-usVBE1+UTrKEYu4TBxudNNnPzEZJWAPCVVHewJCMj8xIrEfCl2ZBv/00+M7gUul2ifN7xKXLBa43GY/wwHLAqw==",
                "sha1": "f9d00dcafc02d88c6634131b498a2412c121a32f"
            }
        }
    ],
    "domains": [
        "api.telegram.org"
    ]
}

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/spotify-url-resolver/MAL-2026-5574.json"