{"id":"MAL-2026-4364","summary":"Malicious code in @aswinsparky/api (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (8cceefd98563e2885501c896472471f2bb20b77103ad99c253775570cae6b4fe)\nindex.js line 11 issues a fetch() to the hardcoded URL https://api.aswinsparky.qzz.io carrying values read from process.env. The destination is a freshly-registered qzz.io subdomain matching the author's npm scope (@aswinsparky), not a documented vendor or publisher infrastructure. There is no configuration option, no user-supplied URL, and no documented purpose that would explain shipping environment-variable contents to this host. Any consumer that imports or invokes this package leaks process environment values — typically containing API keys, tokens, and secrets — to the author-controlled endpoint.\n","modified":"2026-05-27T00:32:00.987981646Z","published":"2026-05-20T19:19:07Z","withdrawn":"2026-05-26T17:59:01Z","database_specific":{"malicious-packages-origins":[{"source":"amazon-inspector","versions":["1.0.1"],"id":"IN-MAL-2026-003598","modified_time":"2026-05-20T19:19:07Z","import_time":"2026-05-26T05:50:56.125386281Z","sha256":"8cceefd98563e2885501c896472471f2bb20b77103ad99c253775570cae6b4fe"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@aswinsparky/api/v/1.0.1"}],"affected":[{"package":{"name":"@aswinsparky/api","ecosystem":"npm","purl":"pkg:npm/%40aswinsparky%2Fapi"},"versions":["1.0.1"],"database_specific":{"indicators":{"package_integrity":[{"hashes":{"sha512_sri":"sha512-WIFk++fqtosujBDODks7nIy9akIfy9af+533EK67Qu7H2G97pomH1mhVregfu9WqSwBmoeQO06bzD6S2WAlMZg==","sha1":"5764ff475adb47d8e714370bfa73213df5383f2f"},"filename":"api-1.0.1.tgz"}],"evidence_files":[{"path":"index.js","tlsh":"b311cc9a64e67693c57e6035ca0f9e01b1aad3472cccdc06b21c619d6fae035c2728ed","sha256":"ca60423228854a83408ecc0819e8564e693601327e0ba0a7f3d2d53f1767b6b9"}]},"cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@aswinsparky/api/MAL-2026-4364.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}