{"id":"MAL-2026-4419","summary":"Malicious code in @pmate/utils (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (d918da5fdc17486ed55296e53c1de2f1d976895f77e33dc7f73991e36f393502)\nThe exported `detectText(imageBase64)` function in src/detectText.ts sends caller-supplied image content to https://vision.googleapis.com/v1/images:annotate using a hardcoded Google Cloud API key (`AIzaSyB60IT_Mte2tZisNiBujfS_q9MPOnw6tgk`) belonging to the package author. Any consumer who calls the advertised text-detection utility unknowingly routes their image data through the author's Google Cloud project, where requests are quota-tracked and may be logged on the author's side. Callers cannot configure or disable this destination — it is hardcoded in the function body. The hardcoded key is also distributed in plaintext to every installer, allowing anyone to drain the author's Vision API quota.\n","modified":"2026-05-27T00:32:02.630434244Z","published":"2026-05-25T09:50:38Z","withdrawn":"2026-05-26T21:41:23Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2026-05-25T09:50:38Z","sha256":"d918da5fdc17486ed55296e53c1de2f1d976895f77e33dc7f73991e36f393502","source":"amazon-inspector","versions":["1.1.4"],"import_time":"2026-05-26T05:52:57.289698917Z","id":"IN-MAL-2026-004616"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@pmate/utils/v/1.1.4"}],"affected":[{"package":{"name":"@pmate/utils","ecosystem":"npm","purl":"pkg:npm/%40pmate%2Futils"},"versions":["1.1.4"],"database_specific":{"cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@pmate/utils/MAL-2026-4419.json","indicators":{"evidence_files":[{"sha256":"89f70c21583de39273c7c294d714edeeea6ed443360ca87994998b4fd2c96496","path":"src/detectText.ts","tlsh":"5e2123466cf515a34bcf60f1128f9403f124904f3a6def50b78c02941f5a13d96babc9"}],"package_integrity":[{"hashes":{"sha1":"5df218edf53a2c8b54c0db8de0650e17aed46c4a","sha512_sri":"sha512-r5dQoDPkUrZFfsBPYI19Mk4WLVsW3nojDNsKcKJndno049Nr4dpdOuAqf3dVOmeNpj9ow7E8th6cBrNrkgPtog=="},"filename":"utils-1.1.4.tgz"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}