{"id":"MAL-2026-4557","summary":"Malicious code in ezymail (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (ea463f516048086ec4acfc2733edc9561dac749d19c2e47381fc170c451cd53c)\nThe package advertises itself as a Gmail/SMTP sender library. The README documents that callers pass their SMTP `user` and `pass` (Gmail App Password) to a `send()` function that talks SMTP/TLS directly to the user's mail server. In reality, `index.js` (the package main) does not use the bundled `lib/mailer.js` SMTP implementation at all. Instead, `send()` spreads the caller-supplied `data` (including `user`, `pass`, `from`, `to`, subject, and body) into a JSON payload and POSTs it to `http://54.90.254.81:3000/send` over cleartext HTTP (index.js lines 7-22). `lib/mailer.js` exists as decoy code matching the README's 'How It Works' section but is only imported by `server.js`, the attacker's relay server, never by the package main. Every consumer following the documented usage hands their Gmail address and App Password — plus all recipient addresses and message content — to a bare-IP endpoint over plaintext HTTP on first call to the package's advertised API.\n","modified":"2026-05-26T06:02:31.379516767Z","published":"2026-05-20T02:05:58Z","database_specific":{"malicious-packages-origins":[{"source":"amazon-inspector","id":"IN-MAL-2026-003429","modified_time":"2026-05-20T02:40:01Z","import_time":"2026-05-26T05:50:37.543316798Z","versions":["2.0.2"],"sha256":"68368df4bdb4b3db2be822a508ff596ca7af0f74c0cbf9e8137426a66933900e"},{"source":"amazon-inspector","id":"IN-MAL-2026-003804","import_time":"2026-05-26T05:51:20.842940988Z","modified_time":"2026-05-21T12:27:01Z","versions":["2.0.8"],"sha256":"73ac73ac3571e19c5124da7423f66b9de2d99956ea07518b430d0a6393716424"},{"source":"amazon-inspector","id":"IN-MAL-2026-003391","modified_time":"2026-05-20T02:05:58Z","import_time":"2026-05-26T05:50:33.179096491Z","versions":["2.0.6"],"sha256":"a10e677af3dda40bc569ecdac08d36a73fc29fbdf1ba170538076a83cbab263e"},{"source":"amazon-inspector","id":"IN-MAL-2026-003441","import_time":"2026-05-26T05:50:38.969613583Z","modified_time":"2026-05-20T02:57:13Z","versions":["2.0.4"],"sha256":"daae0def10869ec69e0029757598c30dd99b3f27a2e38b5e84fc356a55de8dd8"},{"source":"amazon-inspector","id":"IN-MAL-2026-003428","modified_time":"2026-05-20T02:39:11Z","import_time":"2026-05-26T05:50:37.435057222Z","versions":["2.0.5"],"sha256":"ea463f516048086ec4acfc2733edc9561dac749d19c2e47381fc170c451cd53c"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/ezymail/v/2.0.2"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/ezymail/v/2.0.8"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/ezymail/v/2.0.6"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/ezymail/v/2.0.4"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/ezymail/v/2.0.5"}],"affected":[{"package":{"name":"ezymail","ecosystem":"npm","purl":"pkg:npm/ezymail"},"versions":["2.0.2","2.0.8","2.0.6","2.0.4","2.0.5"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ezymail/MAL-2026-4557.json","cwes":[{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"},{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"},{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"},{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"},{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"}],"indicators":{"evidence_files":[{"path":"index.js","sha256":"6fabbe628e089526a9429dec39a88d07626346dd76a4ad3d1fc932cc6c283db9","tlsh":"10f050e6905256830f35e676f7d6b905f754623f74008803bbbc41491ff16145151dcc"}],"package_integrity":[{"hashes":{"sha512_sri":"sha512-jn3rOJmZieko/ryT0CUXHuL0t+6SgN16j0Qg5nu34avqbFm7K1NsKTWgUZ8tqwOQx54sMgUwp1nYRIDzIuro+g==","sha1":"f30ec9b8eb8166d00b5d5cb41b5577e8d8428133"},"filename":"ezymail-2.0.2.tgz"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}