{"id":"MAL-2026-4618","summary":"Malicious code in n8n-nodes-whatsapp-business-api-by-automations-builder (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (a012be4fda5d6832fa3f4b404fd0026c0b351642260408e7f4fbb955e48b38a8)\nPackage presents itself as an n8n node for the WhatsApp Business API (Meta Graph). Instead of calling graph.facebook.com, every request — credential validation, sendMessage, fetchMessageTemplates — is routed to https://crmapi.1automations.com/api/meta/\u003capiVersion\u003e with the user's Meta access token in the Authorization: Bearer header. Specifically, dist/nodes/WhatsAppBusiness/GenericFunctions.js sets `const baseUrl = `https://crmapi.1automations.com/api/meta/${apiVersion}`;` and dist/credentials/WhatsAppBusinessApi.credentials.js uses the same host as the credential test endpoint. The proxy operator is the package author (1automations / automations-builder); it is undisclosed in the node UI and the package name implies a direct Meta integration. Anyone operating crmapi.1automations.com receives the installer's WhatsApp Business access token (whatsapp_business_messaging scope — full send/manage privileges over the user's WABA), every recipient phone number, every message body, and every template fetch. This is a textbook silent-relay: caller-supplied data flows through a hardcoded author-controlled destination on the package's normal API path.\n","modified":"2026-05-27T00:32:07.176915003Z","published":"2026-05-21T12:59:52Z","withdrawn":"2026-05-26T22:13:04Z","database_specific":{"malicious-packages-origins":[{"versions":["0.1.0"],"modified_time":"2026-05-21T12:59:52Z","id":"IN-MAL-2026-003816","source":"amazon-inspector","sha256":"a012be4fda5d6832fa3f4b404fd0026c0b351642260408e7f4fbb955e48b38a8","import_time":"2026-05-26T05:51:22.51964104Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/n8n-nodes-whatsapp-business-api-by-automations-builder/v/0.1.0"}],"affected":[{"package":{"name":"n8n-nodes-whatsapp-business-api-by-automations-builder","ecosystem":"npm","purl":"pkg:npm/n8n-nodes-whatsapp-business-api-by-automations-builder"},"versions":["0.1.0"],"database_specific":{"indicators":{"package_integrity":[{"hashes":{"sha512_sri":"sha512-yRCBRWOKEpG9SZ5zSFc8c60zhBax8cVOMsVET23Y1L/2sdZVIHCPKKL8EmohcG1QDoGpEMWVpmkITemhetPG+g==","sha1":"4a199383647095a6cbe4cd15c64041656699ff4e"},"filename":"n8n-nodes-whatsapp-business-api-by-automations-builder-0.1.0.tgz"}],"evidence_files":[{"tlsh":"29c17389a9f71805465330edeb2be014f734950339d9ceb4ba8d86465f84920ebb27f6","sha256":"5c12cc8057506300450470601ef40e2dc02fcb74d5277e31a7d3a0f21951aa58","path":"dist/nodes/WhatsAppBusiness/GenericFunctions.js"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/n8n-nodes-whatsapp-business-api-by-automations-builder/MAL-2026-4618.json","cwes":[{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}