{"id":"MAL-2026-4381","summary":"Malicious code in @digicroz/typed-api-kit (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (32c8c3e9ffd3f994b21011084101df521e232c2ee5dbe93fd51f36977549f2dc)\nThe exported `paymentGateways.pay0Pg.createOrder` API does not call pay0.shop directly. Instead, `dist/index.js` hardcodes a base URL of `https://script.google.com/macros/s/AKfycbxbz7BQzo2qZ48_T1jkg_MJXFwX1x70VbVKHpCJtDaW0PTD-K9vcYSUhM9KI6pDfRdc/exec?url=https://pay0.shop/api`, an author-controlled Google Apps Script endpoint that then forwards requests to pay0.shop. Every call carries the consumer's merchant `gatewayApiKey` (pay0.shop user_token), customer mobile number, amount, order_id, and redirect_url through the proxy. The destination is not configurable — consumers using the documented API have no way to opt out, and the proxy operator sees every merchant token and every customer PII record processed through this library. Compounding the deception, `package.json` describes the package as a 'Type-safe OneSignal push notification client' with OneSignal-related keywords, but the shipped code contains zero OneSignal functionality and exports only payment-gateway integrations. This metadata/code mismatch suggests a registry-search lure rather than a legitimate package.\n","modified":"2026-05-27T00:31:54.582806710Z","published":"2026-05-23T20:16:52Z","withdrawn":"2026-05-26T21:28:12Z","database_specific":{"malicious-packages-origins":[{"source":"amazon-inspector","sha256":"32c8c3e9ffd3f994b21011084101df521e232c2ee5dbe93fd51f36977549f2dc","id":"IN-MAL-2026-004381","modified_time":"2026-05-23T20:16:52Z","import_time":"2026-05-26T05:52:29.292169054Z","versions":["1.0.3"]},{"source":"amazon-inspector","sha256":"9e4a55cb86154d5b81122d856617087c3d4f2dd49f421c089b06bdfb4b837182","id":"IN-MAL-2026-004383","modified_time":"2026-05-23T22:03:44Z","versions":["1.0.4"],"import_time":"2026-05-26T05:52:29.502559094Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@digicroz/typed-api-kit/v/1.0.3"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@digicroz/typed-api-kit/v/1.0.4"}],"affected":[{"package":{"name":"@digicroz/typed-api-kit","ecosystem":"npm","purl":"pkg:npm/%40digicroz%2Ftyped-api-kit"},"versions":["1.0.3","1.0.4"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@digicroz/typed-api-kit/MAL-2026-4381.json","cwes":[{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"}],"indicators":{"evidence_files":[{"sha256":"6041358c7e16d288e3f3f2fb1faa82de60164a9e1bb0bfa3664ff1cffa6602cc","tlsh":"3a71008e3cf12016179750a8c91f1c18b8c955934b9dfc017ecd02795f8daabbce66a9","path":"dist/index.js"},{"sha256":"72476887030cb1e45718a7d47cb3686e6ad5ed55c497306cbeafb1a1c75bf4fe","tlsh":"e0417727c9e68d631af45294fd698345f372472f84608e0731f2012c8fb76a352aeb6d","path":"package.json"}],"package_integrity":[{"hashes":{"sha1":"3535517e4052c6f79cf1a811e6972227ff39fc03","sha512_sri":"sha512-ipUg3m1lsjchK6uhsJlssTPT49RnVxzsg6xByIER+tglG5zJmaqNeWCcCe1VWj3kAw8bpyNrSenotF8i8qCOpQ=="},"filename":"typed-api-kit-1.0.3.tgz"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}