{"id":"MAL-2026-3677","summary":"Malicious code in 8oo (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (8c949ba1ac1cd3a6c96d3f1fc8c32cdc64cb9474fa07dd6633ebf4f69073a495)\nThe package's main entry (index.js) executes an IIFE at require time that loads 66o.js, which replaces the global `console` with a Proxy. Every intercepted call (log, error, dir, and any other method via the Proxy's default handler) issues a fetch to `https://api.telegram.org/bot989543891:AAH7DMWagamQIi0ogmQy7_AuovMP_Ic6T7M/sendMessage` with hardcoded attacker chat IDs (-1001161709623, -1001433099398, -1001482347974) and also PUTs to `https://iiilll.firebaseio.com/\u003cts\u003e.json`. This is automatic, requires no API call from the installer, and persists for the lifetime of the process — any log output (which in real apps commonly includes secrets, tokens, and user data) is silently siphoned to infrastructure the package author controls. Additionally, the IIFE attaches a global `E` object whose helpers PUT arbitrary input objects to `i----i.firebaseio.com`, upload images to an author-controlled imgbb account (hardcoded key `af7cad64d90d19e2a26889f92f6b3ed8`), and re-upload Telegram files to the author's Cloudinary account `o6` with `upload_preset=o6oooo`. The combination of (a) no-opt-in global console hijack on require and (b) hardcoded author-controlled exfil destinations constitutes a concrete one-way data flow from the installer's process to the author's servers.\n","modified":"2026-05-13T20:20:33.273782Z","published":"2026-05-12T07:42:29Z","database_specific":{"malicious-packages-origins":[{"versions":["0.0.19"],"modified_time":"2026-05-12T19:03:07Z","id":"IN-MAL-2026-002189","source":"amazon-inspector","sha256":"1337fb2b1b1768be9179538ab05164fea6e0ca253c0c2db0a5f4821ee9d8f770","import_time":"2026-05-13T20:10:53.227057236Z"},{"versions":["0.0.12"],"modified_time":"2026-05-12T19:03:07Z","id":"IN-MAL-2026-002182","source":"amazon-inspector","sha256":"8c949ba1ac1cd3a6c96d3f1fc8c32cdc64cb9474fa07dd6633ebf4f69073a495","import_time":"2026-05-13T20:10:52.70237896Z"},{"versions":["0.0.6"],"modified_time":"2026-05-12T19:03:07Z","id":"IN-MAL-2026-002202","source":"amazon-inspector","sha256":"f678446615ac9dec4906e9fc26dd5a754de267f3b4d2d0a36d6adcb3a2643e5f","import_time":"2026-05-13T20:10:53.686601771Z"},{"versions":["0.0.21"],"modified_time":"2026-05-12T19:03:07Z","id":"IN-MAL-2026-002190","source":"amazon-inspector","sha256":"e1d260207d14624119172888a5d5a436a014b6519cdbbd39d89d7e3b6bdcc97d","import_time":"2026-05-13T20:10:53.310393145Z"},{"versions":["0.0.18"],"modified_time":"2026-05-12T19:03:07Z","id":"IN-MAL-2026-002194","source":"amazon-inspector","sha256":"47e04de6eb82a547ae2c3994fac69ee68cc05b2095d82899eed90f2e1c160793","import_time":"2026-05-13T20:10:53.529341066Z"},{"versions":["0.0.15"],"modified_time":"2026-05-12T19:03:07Z","id":"IN-MAL-2026-002185","source":"amazon-inspector","sha256":"7f394ebd546c8be98e73553529c16d4d9ccfdd9d9a66752a81a636dc3fb80afb","import_time":"2026-05-13T20:10:52.983890439Z"},{"versions":["0.0.14"],"modified_time":"2026-05-12T19:03:07Z","id":"IN-MAL-2026-002184","source":"amazon-inspector","sha256":"a901f20625f9e6a1f97e7e200faee2ffc53d089737db264d0879575e8bb0ebe0","import_time":"2026-05-13T20:10:52.89191044Z"},{"versions":["0.0.8"],"modified_time":"2026-05-12T19:03:07Z","id":"IN-MAL-2026-002195","source":"amazon-inspector","sha256":"c0f90df58fe63a3969412f0139c1acf41ef72c6ededc1b5b6cf9ca2e4a876567","import_time":"2026-05-13T20:10:53.607848838Z"},{"versions":["0.0.17"],"modified_time":"2026-05-12T19:03:07Z","id":"IN-MAL-2026-002187","source":"amazon-inspector","sha256":"91c146d7ec3a58d38d59f7ef6e8ba597f9bd538b6e9d0d230ec22cf4e2017a44","import_time":"2026-05-13T20:10:53.1273154Z"},{"versions":["0.0.22"],"modified_time":"2026-05-12T19:03:07Z","id":"IN-MAL-2026-002191","source":"amazon-inspector","sha256":"155d59ef46ac063a24982db00fc16a63f6aa50c383a6bd61517d802f43c2bd7d","import_time":"2026-05-13T20:10:53.362340849Z"},{"versions":["0.0.4"],"modified_time":"2026-05-12T19:03:07Z","id":"IN-MAL-2026-002192","source":"amazon-inspector","sha256":"2b0baa728591af3e9d18054119c1b37f1f2b501de15baa0a337fa5caa1c5a0ff","import_time":"2026-05-13T20:10:53.425568502Z"},{"versions":["0.0.16"],"modified_time":"2026-05-12T19:03:07Z","id":"IN-MAL-2026-002186","source":"amazon-inspector","sha256":"4d46ff64d053b986925c07d85c185d381f87bafae7196b7e55f95b763a860436","import_time":"2026-05-13T20:10:53.066669635Z"},{"versions":["0.0.13"],"modified_time":"2026-05-12T19:03:07Z","id":"IN-MAL-2026-002183","source":"amazon-inspector","sha256":"58422b18a843b58a777562e309c7f430fca5f29ba652280ac8fb11eed6870949","import_time":"2026-05-13T20:10:52.766342677Z"},{"versions":["0.0.9"],"modified_time":"2026-05-12T19:03:07Z","id":"IN-MAL-2026-002196","source":"amazon-inspector","sha256":"22a84869d6d50dd5fa5f5cd07c5706b08ac4e811cb10127468eb97fa5f10bef7","import_time":"2026-05-13T20:10:53.652643365Z"},{"versions":["0.0.5"],"modified_time":"2026-05-12T19:03:07Z","id":"IN-MAL-2026-002193","source":"amazon-inspector","sha256":"306bdbb47720a2bbe8b4cba1600666826da2e73327d32ab1594fb608f46cc0fe","import_time":"2026-05-13T20:10:53.492167453Z"},{"versions":["0.0.11"],"modified_time":"2026-05-12T19:03:07Z","id":"IN-MAL-2026-002181","source":"amazon-inspector","sha256":"45d605bb7ccd2f732508459c27f598ca30dce5663169835f7fef16ef54650f7b","import_time":"2026-05-13T20:10:52.660965155Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/8oo/v/0.0.19"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/8oo/v/0.0.12"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/8oo/v/0.0.6"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/8oo/v/0.0.21"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/8oo/v/0.0.18"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/8oo/v/0.0.15"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/8oo/v/0.0.14"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/8oo/v/0.0.8"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/8oo/v/0.0.17"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/8oo/v/0.0.22"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/8oo/v/0.0.4"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/8oo/v/0.0.16"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/8oo/v/0.0.13"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/8oo/v/0.0.9"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/8oo/v/0.0.5"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/8oo/v/0.0.11"}],"affected":[{"package":{"name":"8oo","ecosystem":"npm","purl":"pkg:npm/8oo"},"versions":["0.0.19","0.0.12","0.0.6","0.0.21","0.0.18","0.0.15","0.0.14","0.0.8","0.0.17","0.0.22","0.0.4","0.0.16","0.0.13","0.0.9","0.0.5","0.0.11"],"database_specific":{"cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/8oo/MAL-2026-3677.json","indicators":{"domains":["api.telegram.org","iiilll.firebaseio.com","i----i.firebaseio.com"],"urls":["https://api.telegram.org/bot${T}/sendMessage?chat_id=${chat}&text=${encodeURIComponent(l","https://api.telegram.org/bot989543891:AAH7DMWagamQIi0ogmQy7_AuovMP_Ic6T7M/sendMessage","https://i----i.firebaseio.com/${x}.json\\","https://i----i.firebaseio.com/*.json","https://iiilll.firebaseio.com/"],"evidence_files":[{"path":"66o.js","tlsh":"0921e15307cc8464a79b643b0dd6f41e32358b2f5598bc74b8edd2b1ef441fa49d0a84","sha256":"c332e893ae22bba36d0d251c7c22bb90530860b773c05056086a668da76cc3e4"},{"path":"index.js","tlsh":"c90275136babc86a6f87a07dedaa7607b136d11f4c5cc5523a5c13a5cf0463189e2fe0","sha256":"70d70365b69f641f1d2ecce76156463b631431563efea10b80d649dcf75ef867"}],"package_integrity":[{"hashes":{"sha1":"62b87be516b388a695c8c825ca84eefcaf598e65","sha512_sri":"sha512-obt2cwPHHxCQCXZCpW7uL6A9p3u9RjF+S5W5E11ngfsMZ9ISDQu7UAgaIhocJp0PzyMO0Xmkd4Dq6KLliOKm0A=="},"filename":"8oo-0.0.19.tgz"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}