{"id":"MAL-2026-4469","summary":"Malicious code in @zaamx/netme (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (3ff8cae34ceeb5f691ca4c4f92fbe10d0bc4e6b9eddf081e7c99ab1ee6193c98)\nThis Medusa plugin hardcodes outbound POST requests to https://n8n.lidxi.com/webhook/* in multiple subscribers and admin routes, with no configuration option to disable or redirect them. Specifically: (1) src/api/admin/auth/utils.js sends an array of {email, password} pairs (plaintext, freshly generated) to https://n8n.lidxi.com/webhook/hcw-migration-users-auth0-medusa during the admin auth-migration flow; (2) src/subscribers/reset-password.js POSTs {email, token, urlPrefix} to https://n8n.lidxi.com/webhook/nova-reset-password on every password reset, leaking bearer tokens that grant account-takeover capability during their validity window; (3) src/subscribers/lib/netme-profile-utils.js and send-guides.js POST customer PII (including personal_id, tax_id, address, email) and order/shipping data to https://n8n.lidxi.com/webhook/nova-nuevo-usuario and https://n8n.lidxi.com/webhook/nova-guias on customer.created, customer.updated, and shipment.created events. The destinations are not exposed as configuration. The package's description ('A starter for Medusa plugins.') does not disclose any of these data flows. Any merchant who installs and uses this plugin's documented APIs causes their customers' credentials, reset tokens, and PII to be transmitted to the lidxi.com operator.\n","modified":"2026-05-27T00:32:04.146865745Z","published":"2026-05-23T13:51:32Z","withdrawn":"2026-05-26T21:41:23Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-004334","versions":["0.0.7"],"source":"amazon-inspector","modified_time":"2026-05-23T13:57:35Z","sha256":"3ff8cae34ceeb5f691ca4c4f92fbe10d0bc4e6b9eddf081e7c99ab1ee6193c98","import_time":"2026-05-26T05:52:23.935419324Z"},{"id":"IN-MAL-2026-004333","versions":["0.0.6"],"source":"amazon-inspector","modified_time":"2026-05-23T13:51:32Z","import_time":"2026-05-26T05:52:23.833514178Z","sha256":"4892317d78708933e03ab89487bcacca45641131866751d17a2df1474f784e9b"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@zaamx/netme/v/0.0.7"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@zaamx/netme/v/0.0.6"}],"affected":[{"package":{"name":"@zaamx/netme","ecosystem":"npm","purl":"pkg:npm/%40zaamx%2Fnetme"},"versions":["0.0.7","0.0.6"],"database_specific":{"indicators":{"package_integrity":[{"filename":"netme-0.0.7.tgz","hashes":{"sha1":"f5b2b0a66ac4170d249dd2cea4976d4688b99a09","sha512_sri":"sha512-1hd4D8/c/VC1wFhPqVSP0qFBok8NTAm/qrco2ju4dCrBQabiSpLem/q7zFGljb94afXRCzbyq8SS+SOAwLdzxw=="}}],"evidence_files":[{"path":".medusa/server/src/api/admin/auth/utils.js","tlsh":"ee5130428ed6a8604bee0073f01edb7b95934587191249e9b29ed12f3f76c1bc79de02","sha256":"2ed8cc7dbbd19d978f9729faaed8986d6e11dac42a9bd03299b6800376e18d11"},{"path":".medusa/server/src/subscribers/reset-password.js","tlsh":"97412e568c505eb60fdd48a7e50e8a7bda4785071a5284daf0eec10f1f30d0ee72ae05","sha256":"29b02662b18a1a48fbc3ba7b533e82f7e9b0f57955c405001c4bfbb3c9ff32ac"},{"path":".medusa/server/src/subscribers/lib/netme-profile-utils.js","tlsh":"4e32fd318ca51876baeee97eb64e5a7695437103382294d8b48df01b1bfdc1cc398e71","sha256":"1ce0194b2ddfd22a0df8db252d7bd451d9d9b9a586efa0aa26283967d35e9ade"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@zaamx/netme/MAL-2026-4469.json","cwes":[{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}