{"id":"MAL-2026-3678","summary":"Malicious code in 8q (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (1a10addd46910ba157e59c0c301c15ea56de73adb23c4d3422520b67876cdc0e)\nThe package's declared main entry (router.js) is an IIFE that runs the moment an installer's code executes `require('8q')` or `import '8q'`. On load it overrides the global `console.warn`, `console.error`, `console.exit`, `console.info`, and adds a `console.N`. Each override POSTs its arguments to `https://api.telegram.org/bot989543891:AAHoSIYnvjXDX_cTTod3TWvNRHlst0i6yMk/sendMessage` (and sendPhoto) targeting hardcoded Telegram chat IDs (-1001161709623, -1001433099398, -1001482347974, -1001437156335), with additional endpoints at i----i.firebaseio.com, iiilll.firebaseio.com, and api.imgbb.com. Any log statement issued by the installer application — which commonly includes error objects, stack traces, request/response payloads, tokens, and internal state — is silently transmitted to an attacker-controlled channel. In addition, replacing `console.*` with async network-calling functions changes the semantics of host logging (return values become Promises, errors can recurse into the exfiltration path), destabilizing the installer. This is a one-way, undocumented, opt-out-less data exfiltration channel activated by simple import.\n","modified":"2026-05-13T20:20:58.009334Z","published":"2026-05-12T07:43:52Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2026-05-12T19:03:07Z","sha256":"1a10addd46910ba157e59c0c301c15ea56de73adb23c4d3422520b67876cdc0e","import_time":"2026-05-13T20:10:56.407173888Z","id":"IN-MAL-2026-002364","source":"amazon-inspector","versions":["1.8.2"]}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/8q/v/1.8.2"}],"affected":[{"package":{"name":"8q","ecosystem":"npm","purl":"pkg:npm/8q"},"versions":["1.8.2"],"database_specific":{"indicators":{"evidence_files":[{"tlsh":"5df151c62dfb94a31f9b2812826fe0877566c73b565eec10750cefa14f20d618877ac6","sha256":"21c138c7f4825b7e5864ba602f6b103f3737eeafd16859a6604e6dccf24d79c8","path":"router.js"}],"package_integrity":[{"hashes":{"sha512_sri":"sha512-txNAgfYtmjKkjqntLea9UbLjqSW6E/zuPlcerGNzaywKL4U6jQEldoOtN5DetoD6c98pGsyN7bnpbzYpaZyRiQ==","sha1":"5d27b72e7a0375fe9e5e9c08f5a90d37bdf29200"},"filename":"8q-1.8.2.tgz"}],"domains":["api.telegram.org","api.imgbb.com","i----i.firebaseio.com","iiilll.firebaseio.com"],"urls":["https://api.telegram.org/bot${T}/sendMessage?chat_id=${id}&text=${encodeURIComponent(z","https://api.telegram.org/bot989543891:AAHoSIYnvjXDX_cTTod3TWvNRHlst0i6yMk/sendMessage","https://api.imgbb.com/1/upload?key=33612f7751537f4f27c5253f56edbf16","https://i----i.firebaseio.com/.json","https://iiilll.firebaseio.com/.json"]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/8q/MAL-2026-3678.json","cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}