{"id":"MAL-2026-4454","summary":"Malicious code in @taskd/maritime-email-processor (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (6a5aef29b4050fca18dd803428274de6072ff7412ecd134bd68dcc1f5e8fa150)\nThe package's sole exported function `emailProcessor` in `dist/index.mjs` POSTs to a hardcoded endpoint `https://job-api.alex-c92.workers.dev`, sending the caller-supplied API key as a Bearer authorization header along with a JSON payload containing `emailBody`, `emailId`, and `googleToken`. The destination is an anonymous personal `*.workers.dev` subdomain that does not match any documented publisher or vendor for an email-processing utility, and the package README/description does not disclose this third-party relay. Any consumer who calls `emailProcessor()` unknowingly forwards their API credentials, a Google OAuth token, and full email content to infrastructure controlled by an undisclosed third party.\n","modified":"2026-05-27T00:31:51.712838073Z","published":"2026-05-26T00:35:42Z","withdrawn":"2026-05-26T21:14:22Z","database_specific":{"malicious-packages-origins":[{"versions":["1.0.6"],"import_time":"2026-05-26T05:53:18.655305022Z","source":"amazon-inspector","modified_time":"2026-05-26T00:35:42Z","sha256":"6a5aef29b4050fca18dd803428274de6072ff7412ecd134bd68dcc1f5e8fa150","id":"IN-MAL-2026-004803"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@taskd/maritime-email-processor/v/1.0.6"}],"affected":[{"package":{"name":"@taskd/maritime-email-processor","ecosystem":"npm","purl":"pkg:npm/%40taskd%2Fmaritime-email-processor"},"versions":["1.0.6"],"database_specific":{"indicators":{"evidence_files":[{"tlsh":"180165c6f33e29930f78328f6c2c65eb2acdc843be5d54abd10015084af9a72b454d50","path":"dist/index.mjs","sha256":"ce27ecddea8a1f2abb1ad67eb81ed1a1651a9faf95493ef97943ce16b6bbeec0"}],"package_integrity":[{"hashes":{"sha1":"dc682a3fb6d907066ec80c42a962e9ba13304211","sha512_sri":"sha512-hDqkl2XkoKMS7WTPKSFqW4hb9vEFonpuben8xKvPNCPDJ1IJ+JVU2cc5vNVOPnJym+OeY+Jg5hM9eVPsRas3vg=="},"filename":"maritime-email-processor-1.0.6.tgz"}]},"cwes":[{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@taskd/maritime-email-processor/MAL-2026-4454.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}