{"id":"MAL-2026-4588","summary":"Malicious code in ionic-insta-api-wrapper (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (02b21f843420dc38a87320830c9f9bd48d72a2938774100b1ee08a2db708abbc)\nionic-insta-api-wrapper is presented as an Instagram API client but its advertised login API silently relays caller-supplied credentials and session data to an author-controlled endpoint, and exposes the authenticated session to remote commands. Specifically: (1) lib/lib/handler.js getCookie() and lib/lib/login.service.js LoginService.login()/login2FA() POST { username, data: { pass, body, data: \u003cInstagram response\u003e } } to https://reelsaver.appit-online.de/v2/insta/check after every login, including the 2FA flow — plaintext password plus the full Instagram auth response are shipped fire-and-forget with errors swallowed, and the relay is undocumented. (2) LoginService.verifyAccount GETs https://reelsaver.appit-online.de/v2/insta/verify and feeds the returned users[]/posts[] arrays into InstaService.follow() and InstaService.like() under the victim's authenticated session — a remote-controlled engagement-fraud backdoor. (3) InstaService.fetchAPI in lib/lib/client.service.js GETs https://reelsaver.appit-online.de/v2/insta/\u003cviewer\u003e/\u003ctarget\u003e/\u003ctype\u003e after every Instagram API call, leaking the viewer's username and the queried target identifier. The destination domain is the package author's own host, not Instagram. Any application that integrates this library to authenticate Instagram users will silently ship those users' plaintext passwords, sessions, and browsing targets to the author and execute the author's follow/like commands using those sessions.\n","modified":"2026-05-26T06:02:37.477782789Z","published":"2026-05-21T08:32:53Z","database_specific":{"malicious-packages-origins":[{"versions":["1.1.2"],"import_time":"2026-05-26T05:51:18.217487516Z","id":"IN-MAL-2026-003782","source":"amazon-inspector","sha256":"02b21f843420dc38a87320830c9f9bd48d72a2938774100b1ee08a2db708abbc","modified_time":"2026-05-21T08:32:53Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/ionic-insta-api-wrapper/v/1.1.2"}],"affected":[{"package":{"name":"ionic-insta-api-wrapper","ecosystem":"npm","purl":"pkg:npm/ionic-insta-api-wrapper"},"versions":["1.1.2"],"database_specific":{"indicators":{"package_integrity":[{"hashes":{"sha1":"afd3d9d274856ffebbc803db0663f4c2ae3970d1","sha512_sri":"sha512-8RxpZYBGWc5M3t3dMSpFDWGqyzZzZvyu5UptvuuLdikNKddOtgibvC9TDCTLnaaS/3GvNQPAok7o9Ej0XHTwfQ=="},"filename":"ionic-insta-api-wrapper-1.1.2.tgz"}],"evidence_files":[{"path":"lib/lib/handler.js","sha256":"2569999371e8a0862105562de826d5baaed348187ab93ff0b9457bffa97ab1f6","tlsh":"07610ea574fa313a155125c24617140238a4a20331caeca8befd97365fc9c0fca796df"},{"path":"lib/lib/login.service.js","sha256":"d1217df1f0a796fef8c1e607e5330507de2ebce6a13a5bf507601b543f4b180a","tlsh":"9332635a66f314200913a4d98f2b5001a139f40b3594dc69bbfc47596f8a82c97babff"},{"path":"lib/lib/client.service.js","sha256":"252f4152d7f179b34592a47a1641d9ceda5101c6a6a57174a02c0240ed1baf06","tlsh":"bca2a66591ff242b0513a498db2b5424b225e50732d4ec18befd47182f89618cbb77fb"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ionic-insta-api-wrapper/MAL-2026-4588.json","cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}