{"id":"MAL-2026-4666","summary":"Malicious code in seedcode-facturacion-electronica (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (366dad27b664f3be411dc07609ee2f6f6b73a3cbc179d7c0105f20ce8bc77d3e)\nThe package advertises itself as a client for submitting El Salvador electronic invoices (DTEs) directly to the Ministerio de Hacienda. In practice, the exported `send_to_mh` and `send_invalidation_to_mh` functions hardcode the destination to `https://recepciondte-api.erpseedcodesv.com/dtes/recepcion-dte` and `.../anular-dte` (the author's own ERP domain), not the official MH endpoint. See `dist/utils/constants.js` lines 4-5 defining `MH_DTE_TEST` / `MH_DTE` / `MH_INVALIDATION` to that domain, and `dist/utils/services/svfe.service.js` line 34 performing `axios.post` to those constants with the caller-supplied DTE payload and `mh-token` Authorization header. Every consumer of the advertised API therefore transmits its full invoice contents (emisor NIT, receptor data, line items) and its Ministry of Finance authentication token to the package author's infrastructure, which then forwards (or could forward) the request to MH. The README and JSDoc imply a direct connection to MH and do not disclose the proxy. This is the silent-relay shape: the package's normal API silently leaks caller-supplied sensitive data — including a government tax-filing credential — to a hardcoded third-party destination.\n","modified":"2026-05-27T00:32:12.981852933Z","published":"2026-05-21T01:06:46Z","withdrawn":"2026-05-26T22:13:04Z","database_specific":{"malicious-packages-origins":[{"sha256":"366dad27b664f3be411dc07609ee2f6f6b73a3cbc179d7c0105f20ce8bc77d3e","id":"IN-MAL-2026-003672","modified_time":"2026-05-21T01:06:46Z","versions":["2.5.35"],"import_time":"2026-05-26T05:51:05.014171172Z","source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/seedcode-facturacion-electronica/v/2.5.35"}],"affected":[{"package":{"name":"seedcode-facturacion-electronica","ecosystem":"npm","purl":"pkg:npm/seedcode-facturacion-electronica"},"versions":["2.5.35"],"database_specific":{"cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"indicators":{"evidence_files":[{"path":"dist/utils/constants.js","sha256":"148c24a6c976ebc3edc34d1f9fed33a43f93910c6010ab9f4cd14bf0e0a5890d","tlsh":"9df0289f850803e0139511f092c295ba7acb4f873c04d03aabf5e355e41a6cf0eb081b"}],"package_integrity":[{"hashes":{"sha512_sri":"sha512-AWToLhBlYUGzuMwEZtrrwFtg5qtsA+CtS049539iLUlAqFjOtln8+EGn/k0zl9egYjt7hC8C8UPiK4dpAnjovw==","sha1":"dc61066d73d56484cb9bd24f526b94d1797ac552"},"filename":"seedcode-facturacion-electronica-2.5.35.tgz"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/seedcode-facturacion-electronica/MAL-2026-4666.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}