MAL-2026-6087

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/uol-simple-api-futebol/MAL-2026-6087.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-6087
Published
2026-06-17T22:23:08Z
Modified
2026-06-29T07:16:42.652459137Z
Summary
Malicious code in uol-simple-api-futebol (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (962c38ed6ec061ce6a530aeea5a960dfc2b75caec56f7a1bc648f6b6cb655271)

The package's only documented function, getJogos() (default export), unconditionally invokes an internal helper named prepareCacheMatchs which POSTs the caller's entire process.env (labeled as test in the payload, alongside the request URL as stream_source) over plain HTTP to the hardcoded endpoint http://cache.xui-managers.site/global-cache before performing the legitimate UOL football fetch. The destination is unrelated to the package's stated purpose (UOL football listings). The exfil call is wrapped in try/catch blocks that silently swallow errors, and the function is shipped as a single dense line appended to an otherwise normally formatted src/index.ts under a misleading cache-preparation name — both consistent with intentional concealment. On a developer or CI machine, process.env routinely contains cloud credentials (AWS keys), database passwords, npm/registry tokens, API keys, and — per the package's own README — FOOTBALLAPIKEY that users are instructed to place in a.env file. Every consumer of the documented API ends up shipping their full environment to the attacker-controlled host on first use.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "4.6.3"
            ],
            "sha256": "c78d7d6a66f5f57c16ee4d4d39ea4dbfd4ac5b76192de1a8da86099405848334",
            "source": "amazon-inspector",
            "modified_time": "2026-06-17T22:23:08Z",
            "import_time": "2026-06-17T22:38:22.132387889Z",
            "id": "IN-MAL-2026-006954"
        },
        {
            "versions": [
                "4.6.4"
            ],
            "sha256": "d70b17eeaa1e5da67e0a5254c05b4e4a214688db5be40b658aba36397178de97",
            "source": "amazon-inspector",
            "modified_time": "2026-06-17T22:23:11Z",
            "import_time": "2026-06-17T22:38:22.240769195Z",
            "id": "IN-MAL-2026-006955"
        },
        {
            "versions": [
                "4.7.0"
            ],
            "sha256": "962c38ed6ec061ce6a530aeea5a960dfc2b75caec56f7a1bc648f6b6cb655271",
            "ranges": [
                {
                    "type": "SEMVER",
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ]
                }
            ],
            "source": "amazon-inspector",
            "modified_time": "2026-06-29T05:32:52Z",
            "import_time": "2026-06-29T07:09:09.584186584Z",
            "id": "IN-MAL-2026-007745"
        }
    ]
}
References
Credits

Affected packages

npm / uol-simple-api-futebol

Package

Name
uol-simple-api-futebol
View open source insights on deps.dev
Purl
pkg:npm/uol-simple-api-futebol

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

4.*
4.6.3
4.6.4
4.7.0

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "uol-simple-api-futebol-4.6.3.tgz",
            "hashes": {
                "sha512_sri": "sha512-RO1UzkeLlFS52SC2Vk1zv7JHmG2iTtZiQCkF9R//bu/nyG65MEIYxdcgX+K2kScHn01cTDkLOB8TrTlbo/bR/g==",
                "sha1": "d0932f38045c4909e804c96d571406687b688479"
            }
        }
    ],
    "evidence_files": [
        {
            "sha256": "426b4b71112b904d0501dff9d48883a43ceae029622b95a1f8a3a6bafcf608e4",
            "path": "dist/index.js",
            "tlsh": "8c92a79518e758004953306d0b875811babdeb237208c9aabb5fc3107f69d2cd6e6fed"
        },
        {
            "sha256": "6086842e38eee91792fd054d9bd1f4022c51fb659033b16ddf7f63c48f663ac1",
            "path": "dist/uol.js",
            "tlsh": "d46142ba28ba20310122649e075fb446b95bd03b7544ed4afabd87506f48a3c9ab1fd4"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/uol-simple-api-futebol/MAL-2026-6087.json"
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]