{"id":"MAL-2026-3670","summary":"Malicious code in 11j (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (f9ad371791d84a3c28ca12b62bae45a07567847b7df025c93611f8f504a1c869)\nthe analysis identified unambiguous malicious behavior in log.js (the package main): an IIFE executes on require/import that monkey-patches console.log/warn/error to exfiltrate their first argument to a hardcoded Telegram bot endpoint with attacker-owned chat IDs and additionally PATCHes warn-intercepted data into an attacker-controlled Firebase RTDB. The module is further disguised with a large decoy DataTables employee dataset and a commented-out module.exports so require() returns {} while still installing the global console hooks. The combination of (a) load-time global side-effects, (b) two independent attacker-controlled exfiltration channels with hardcoded credentials/IDs, and (c) deliberate concealment via decoy data and suppressed exports constitutes a clear credential/data theft supply-chain attack with no plausible legitimate purpose. Package metadata ('11j', no description) provides no legitimate justification.\n","modified":"2026-05-13T20:23:30.921173Z","published":"2026-05-12T07:42:26Z","database_specific":{"malicious-packages-origins":[{"versions":["1.2.8"],"modified_time":"2026-05-12T19:03:07Z","id":"IN-MAL-2026-002179","source":"amazon-inspector","sha256":"0f707236f9bca95d6b8abca21c159ede01d4acb2bf09d3a45d9b0390d689982c","import_time":"2026-05-13T20:10:52.536319478Z"},{"versions":["1.1.3"],"modified_time":"2026-05-12T19:03:07Z","id":"IN-MAL-2026-002176","source":"amazon-inspector","sha256":"236c8067214fe13657ced7daa40d5205624e78a081d0146c45c78b80a88b4d64","import_time":"2026-05-13T20:10:52.310261568Z"},{"versions":["1.2.2"],"modified_time":"2026-05-12T19:03:07Z","id":"IN-MAL-2026-002178","source":"amazon-inspector","sha256":"a211b304b43ec67f1f1673eb8419d2ff1ae5891ecc15134fb105c3121670840d","import_time":"2026-05-13T20:10:52.503040295Z"},{"versions":["1.3.0"],"modified_time":"2026-05-12T19:03:07Z","id":"IN-MAL-2026-002180","source":"amazon-inspector","sha256":"bb8a352dbec76a607b42cc0636f73d51d79a33e90ab1ef7e0434d3a6647aebe5","import_time":"2026-05-13T20:10:52.578154651Z"},{"versions":["1.1.1"],"modified_time":"2026-05-12T19:03:07Z","id":"IN-MAL-2026-002175","source":"amazon-inspector","sha256":"bf5fa179600237043f944706288dd79a880bcdf853d10c36fe23d57add26e221","import_time":"2026-05-13T20:10:52.224974927Z"},{"versions":["1.1.8"],"modified_time":"2026-05-12T19:03:07Z","id":"IN-MAL-2026-002177","source":"amazon-inspector","sha256":"f9ad371791d84a3c28ca12b62bae45a07567847b7df025c93611f8f504a1c869","import_time":"2026-05-13T20:10:52.391739633Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/11j/v/1.2.8"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/11j/v/1.1.3"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/11j/v/1.2.2"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/11j/v/1.3.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/11j/v/1.1.1"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/11j/v/1.1.8"}],"affected":[{"package":{"name":"11j","ecosystem":"npm","purl":"pkg:npm/11j"},"versions":["1.2.8","1.1.3","1.2.2","1.3.0","1.1.1","1.1.8"],"database_specific":{"cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/11j/MAL-2026-3670.json","indicators":{"domains":["api.telegram.org","iiilll.firebaseio.com","script.google.com"],"urls":["https://api.telegram.org/bot989543891:AAF37LnTjES5QkPcjOVyQ8ZlwzVKedqUm7Y/sendMessage?chat_id=${x}&text=${encodeURIComponent(z","https://script.google.com/macros/s/AKfycbwMWbBpkE5PFO_MwJOSVU5nyN-1K46auSlosxphK9TRhA11y5s/exec","https://iiilll.firebaseio.com/.json"],"evidence_files":[{"path":"log.js","tlsh":"b1f14d17d9be81af06a5b89460c6200a3159859b4cd4bc32fb9c3b890f1c5df77f0a9e","sha256":"4d83555d3dec8a271a97d79c5ebf1d94bfdfa1e554c0231b9f0a172f403f474e"}],"package_integrity":[{"hashes":{"sha1":"81d67686e5b39f557f665ffc6fee597af96feabd","sha512_sri":"sha512-rEF58HIFXrRd+Lfeoug8HaSHkBm6qU3TPc39ulU3ljkYoK76aFJOfvk3UrlNXYW9TfX6JtDYKCcv2jkG4dlgqg=="},"filename":"11j-1.2.8.tgz"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}