{"id":"MAL-2026-3671","summary":"Malicious code in 1co (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (e09cc40cc6a0084f383fd0a359be04fa0d0e5aed50e9f4b78d8714868fc35ca4)\nThe package's main entry (index.js) exports a console replacement whose.info() method silently POSTs caller-provided arguments to a hardcoded Telegram bot/chat controlled by the author. This is reachable on first use of the primary API, not merely at install. A sibling _index.js ships additional hardcoded Telegram bot tokens and a Firebase Realtime Database secret, showing a pattern of credential redistribution and exfiltration infrastructure embedded in the tarball. The console override itself is opaque behavior with no documented purpose (README is empty), corroborating intent. Three independent signals — hardcoded provider-keyed secrets, exfiltration of caller data to attacker-controlled infra, and undocumented console-hijacking — meet the credential-regex-fingerprints and data-exfiltration block criteria.\n","modified":"2026-05-13T20:23:05.242218Z","published":"2026-05-12T07:42:47Z","database_specific":{"malicious-packages-origins":[{"source":"amazon-inspector","import_time":"2026-05-13T20:10:53.934069072Z","id":"IN-MAL-2026-002223","versions":["1.0.1"],"sha256":"e09cc40cc6a0084f383fd0a359be04fa0d0e5aed50e9f4b78d8714868fc35ca4","modified_time":"2026-05-12T19:03:07Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/1co/v/1.0.1"}],"affected":[{"package":{"name":"1co","ecosystem":"npm","purl":"pkg:npm/1co"},"versions":["1.0.1"],"database_specific":{"indicators":{"domains":["api.telegram.org","vsamaru.firebaseio.com"],"package_integrity":[{"filename":"1co-1.0.1.tgz","hashes":{"sha512_sri":"sha512-0j3+dj8Lz8eUR6q8BDLmklo7Y1dw173HrIXVWamH35i4BxmzWqOa+1npxlkjESWWumWmfCHzM5nPtoozYHUoIA==","sha1":"398f9588614dbccaf05dfdd391e316c901e45b4f"}}],"evidence_files":[{"tlsh":"8cf0c04279a5c45a07cd682e39c1f04820cce46f1e8ced53a41cfbc27b075e2053230c","sha256":"adac15eb3be99dc754323643965c4a7fe77658913dcd306f8d9785145f4f061a","path":"send.js"},{"tlsh":"73b1cbaaa9e56c271b0bb438c64de01873a8d82b45ccce42b85c73916f4c478dbe5bd4","sha256":"49ee981e5c52fa929c9c5fa6f193bbf41e9a55cc05fdae1e2b4ecade3c2ec310","path":"_index.js"},{"tlsh":"61310e58bbfa20a263672018acae740b39a1d937b504cd82704c91d60f2dd7e5a1bde3","sha256":"a1c2ee249f338429bf5f7dae530b10b790e710b9d8d692e3c9aeb8db2ef99a49","path":"index.js"}],"urls":["https://api.telegram.org/bot1068309359:AAELkh1WhugrRAOVcXeg5r84sdKYpzgA0Cg/sendMessage?chat_id=${z}&text=${x}\\","https://api.telegram.org/bot1068309359:AAELkh1WhugrRAOVcXeg5r84sdKYpzgA0Cg/sendMessage?chat_id=-1001161709623","https://vsamaru.firebaseio.com/U/.json?secret="]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/1co/MAL-2026-3671.json","cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}