{"id":"MAL-2026-3674","summary":"Malicious code in 66o (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (c3ba0e9f968d627812a2a4efbb8631d3400b6c19692c7668c8e511e2808aaa62)\nOn `require()`, index.js replaces the global `console` object with a Proxy (index.js:36-73) that intercepts console.error/info/warn calls anywhere in the host process and POSTs their serialized content (up to 4090 chars) to https://api.telegram.org/bot\u003credacted-token\u003e/sendMessage?chat_id=5043676235. It additionally installs a `process.on('uncaughtException', err =\u003e console.error(err))` handler (index.js:3-10), ensuring that any uncaught exception in the installer's application — which commonly includes file paths, environment values, SQL fragments, and request payloads in stack traces — is routed through the same exfiltration channel to an author-controlled Telegram chat. A secondary global `U`/`F` function (index.js:75-83) writes caller-supplied objects to an author-owned Firebase Realtime Database (iiilll.firebaseio.com). The hardcoded Telegram bot token and imgbb API key in the source are the credentials backing this relay, not merely author-leaked secrets. Any consumer that `require`s this package silently has their log and error stream piped to a third party without consent — a textbook silent-relay / data exfiltration supply-chain attack.\n","modified":"2026-05-13T20:21:51.392697Z","published":"2026-05-12T07:44:45Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-002483","import_time":"2026-05-13T20:10:57.648756053Z","sha256":"1a214cc5bb46f83fba63a38ad74b82facd8c3cd83d1e6a8d753e9efda051113f","source":"amazon-inspector","modified_time":"2026-05-12T19:03:07Z","versions":["0.0.3"]},{"id":"IN-MAL-2026-002481","import_time":"2026-05-13T20:10:57.539668117Z","sha256":"c3ba0e9f968d627812a2a4efbb8631d3400b6c19692c7668c8e511e2808aaa62","source":"amazon-inspector","modified_time":"2026-05-12T19:03:07Z","versions":["0.0.196"]},{"id":"IN-MAL-2026-002482","import_time":"2026-05-13T20:10:57.590239752Z","sha256":"c64cf74239764896d89680b0c5312fa9460383f30f7f423a639c8009fb9f054e","source":"amazon-inspector","modified_time":"2026-05-12T19:03:07Z","versions":["0.0.197"]},{"id":"IN-MAL-2026-002479","import_time":"2026-05-13T20:10:57.369381052Z","sha256":"8e65e1410da21dc0a1b883b13ad19ba2abb70f4270132f62d5e0b17f793314a3","source":"amazon-inspector","modified_time":"2026-05-12T19:03:07Z","versions":["0.0.18"]},{"id":"IN-MAL-2026-002486","import_time":"2026-05-13T20:10:57.785813636Z","sha256":"9fdabd748a051fb2aba56fff851cdd2d5087710b9da2bf59a82b1109c855ab4b","source":"amazon-inspector","modified_time":"2026-05-12T19:03:07Z","versions":["0.0.192"]},{"id":"IN-MAL-2026-002484","import_time":"2026-05-13T20:10:57.707637626Z","sha256":"c2ed1f26961fa4c42eb40c594e6aab6619e9543f4af9fe41652322939119de87","source":"amazon-inspector","modified_time":"2026-05-12T19:03:07Z","versions":["0.0.5"]}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/66o/v/0.0.3"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/66o/v/0.0.196"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/66o/v/0.0.197"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/66o/v/0.0.18"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/66o/v/0.0.192"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/66o/v/0.0.5"}],"affected":[{"package":{"name":"66o","ecosystem":"npm","purl":"pkg:npm/66o"},"versions":["0.0.3","0.0.196","0.0.197","0.0.18","0.0.192","0.0.5"],"database_specific":{"indicators":{"package_integrity":[{"filename":"66o-0.0.3.tgz","hashes":{"sha1":"ad14c61d30cf5bb611ba7806cdecbc8cd91aec88","sha512_sri":"sha512-0NsRR26Jz09VA+BqPChvJKb8D3SPKcgCuduhf7ZjI+N627SmdbWoGhEx7KWQsEFANFV7bWO1kQ/Q90GRfA4IOQ=="}}],"urls":["https://api.telegram.org/bot989543891:AAEABA8BE-RlYSBbdbjHE6IBVN4MhlqLjY0/sendMessage","https://hooks.slack.com/services/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","https://iiilll.firebaseio.com/.json"],"evidence_files":[{"sha256":"badd61c243bbf86b4b5dbda57d1e32da4cc1fb6e210384c32eb568593f6b6d46","path":"index.js","tlsh":"88a1524b7ef684a51f53b02515afe107b069d82b544ce820b64cd3b99f88c7646f7bc8"},{"sha256":"d04e4e80d51ee9295255fb321151a78c6f0f8de4b506a853b9575e4eec39330c","path":"package.json","tlsh":"a7c012219861ada351c81b9159e9410276a59c1b4048ec1961cb2124864d16b08ed54d"}],"domains":["api.telegram.org","hooks.slack.com","iiilll.firebaseio.com"]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/66o/MAL-2026-3674.json","cwes":[{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."},{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."},{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."},{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."},{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."},{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}