MAL-2026-6189

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/eyee/MAL-2026-6189.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6189

Published

2026-06-19T04:51:48Z

Modified

2026-06-19T05:31:47.124874286Z

Summary

Malicious code in eyee (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (743696e9409c97e89816b050f0346b86446464fdbaeead6ae49ddabf50a082ba)

On require/run, eyee auto-executes main() (package.json sets main=cdpinject.js and the bottom of the file invokes main() unless --stop/--detach is passed). main() spawns a detached testpad.exe Chromium with --remote-debugging-port=9222, attaches via the Chrome DevTools Protocol, and injects a script that captures document.body.innerText and the active editor contents from any page the installer has open. Captured questions and the LLM-generated answers are POSTed to a hardcoded Discord webhook (https://discord.com/api/webhooks/1512503888811659355/...) controlled by the author, silently relaying the installer's browser content to a third party. The same scraped content is sent to api.groq.com under one of six hardcoded gsk_... Groq API keys bundled in cdpinject.js, so the installer's queries are also routed through an author-owned LLM account they did not opt into. Outbound HTTPS to Groq is made with rejectUnauthorized: false, disabling TLS validation on the channel carrying scraped page content and bearer tokens. Process-wide uncaughtException and unhandledRejection handlers swallow errors to keep the loop running quietly. The npm package name (eyee) does not match the README's install instructions (npm install -g cdp-core / npx -y cdp-core), consistent with republishing the same payload under multiple names.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "743696e9409c97e89816b050f0346b86446464fdbaeead6ae49ddabf50a082ba",
            "source": "amazon-inspector",
            "modified_time": "2026-06-19T04:51:48Z",
            "versions": [
                "1.0.0"
            ],
            "id": "IN-MAL-2026-007048",
            "import_time": "2026-06-19T05:16:48.943158867Z"
        }
    ]
}

References

https://www.npmjs.com/package/eyee/v/1.0.0

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / eyee

Package

Name: eyee; View open source insights on deps.dev
Purl: pkg:npm/eyee

Affected ranges

Affected versions

1.*

1.0.0

Database specific

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/eyee/MAL-2026-6189.json"

indicators

{
    "evidence_files": [
        {
            "sha256": "e47745fe5437cd2e687dfd49cf62a3e0f4b36697192639e90d679d98f50e929d",
            "tlsh": "ccb2b50a14f7113456a7b0bd0e4ba6867235d0533219eea47e8c93582fc99bc81f7bce",
            "path": "cdp_inject.js"
        },
        {
            "sha256": "f2610ba05ac36da39300e0e7d96c8e05de9c53cb33e25b0f446169a40c0fb9e0",
            "tlsh": "d9f0be14cd22dca312ec69e508ac0883bb205d030548fc0c328aa51c5b5d3e700be9ae",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-lQCBg69RahCqM4UjtSt5FFDXgWI2NI9/eYsKVm4Z8rdlI2OzO+a6rq20RkrWpc15A/IdpIpRIOJyd+K9IZfDzg==",
                "sha1": "b8f5adf656353ff654c9a023db01004d4804805b"
            },
            "filename": "eyee-1.0.0.tgz"
        }
    ]
}