-= Per source details. Do not edit below this line.=-
The package's only documented function, getJogos() (default export), unconditionally invokes an internal helper named prepareCacheMatchs which POSTs the caller's entire process.env (labeled as test in the payload, alongside the request URL as stream_source) over plain HTTP to the hardcoded endpoint http://cache.xui-managers.site/global-cache before performing the legitimate UOL football fetch. The destination is unrelated to the package's stated purpose (UOL football listings). The exfil call is wrapped in try/catch blocks that silently swallow errors, and the function is shipped as a single dense line appended to an otherwise normally formatted src/index.ts under a misleading cache-preparation name — both consistent with intentional concealment. On a developer or CI machine, process.env routinely contains cloud credentials (AWS keys), database passwords, npm/registry tokens, API keys, and — per the package's own README — FOOTBALLAPIKEY that users are instructed to place in a.env file. Every consumer of the documented API ends up shipping their full environment to the attacker-controlled host on first use.
{
"malicious-packages-origins": [
{
"versions": [
"4.6.3"
],
"sha256": "c78d7d6a66f5f57c16ee4d4d39ea4dbfd4ac5b76192de1a8da86099405848334",
"source": "amazon-inspector",
"modified_time": "2026-06-17T22:23:08Z",
"import_time": "2026-06-17T22:38:22.132387889Z",
"id": "IN-MAL-2026-006954"
},
{
"versions": [
"4.6.4"
],
"sha256": "d70b17eeaa1e5da67e0a5254c05b4e4a214688db5be40b658aba36397178de97",
"source": "amazon-inspector",
"modified_time": "2026-06-17T22:23:11Z",
"import_time": "2026-06-17T22:38:22.240769195Z",
"id": "IN-MAL-2026-006955"
},
{
"versions": [
"4.7.0"
],
"sha256": "962c38ed6ec061ce6a530aeea5a960dfc2b75caec56f7a1bc648f6b6cb655271",
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
}
]
}
],
"source": "amazon-inspector",
"modified_time": "2026-06-29T05:32:52Z",
"import_time": "2026-06-29T07:09:09.584186584Z",
"id": "IN-MAL-2026-007745"
}
]
}{
"package_integrity": [
{
"filename": "uol-simple-api-futebol-4.6.3.tgz",
"hashes": {
"sha512_sri": "sha512-RO1UzkeLlFS52SC2Vk1zv7JHmG2iTtZiQCkF9R//bu/nyG65MEIYxdcgX+K2kScHn01cTDkLOB8TrTlbo/bR/g==",
"sha1": "d0932f38045c4909e804c96d571406687b688479"
}
}
],
"evidence_files": [
{
"sha256": "426b4b71112b904d0501dff9d48883a43ceae029622b95a1f8a3a6bafcf608e4",
"path": "dist/index.js",
"tlsh": "8c92a79518e758004953306d0b875811babdeb237208c9aabb5fc3107f69d2cd6e6fed"
},
{
"sha256": "6086842e38eee91792fd054d9bd1f4022c51fb659033b16ddf7f63c48f663ac1",
"path": "dist/uol.js",
"tlsh": "d46142ba28ba20310122649e075fb446b95bd03b7544ed4afabd87506f48a3c9ab1fd4"
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/uol-simple-api-futebol/MAL-2026-6087.json"
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]