{"id":"MAL-2026-4682","summary":"Malicious code in tango-app-api-trax (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (5c14d60a97b056e00cb3055bd07605c2f16482794e5860fee68cab46f308893d)\nThe package tarball includes a Google Cloud service-account JSON file (fir-51e77-firebase-adminsdk-x3sdp-fd902b74ae.json) containing a live RSA private key for the service account firebase-adminsdk-k7lom@tango-trax.iam.gserviceaccount.com in the tango-trax Firebase/GCP project. Any installer receives admin credentials in their node_modules and can authenticate against the project's Firestore, Realtime Database, FCM, Auth, and Storage with full Admin SDK privileges — meaning end-users of the Tango/Trax service can be read or modified by anyone who installs this package. This is third-party credential redistribution, distinct from author self-harm: the credentials grant access to a production system holding other users' data, not just to the author's personal accounts. The package additionally hardcodes an AWS Lambda function URL (https://f65azvtljclaxp6l7rnx65cdmm0lcgvp.lambda-url.ap-south-1.on.aws) referenced from POST/fetch calls in src/controllers/teaxFlag.controller.js, indicating the package is an internal backend that should never have been published to a public registry.\n","modified":"2026-05-26T06:02:57.889049302Z","published":"2026-05-20T11:24:49Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-003521","versions":["3.9.10"],"import_time":"2026-05-26T05:50:47.112157677Z","modified_time":"2026-05-20T11:28:53Z","source":"amazon-inspector","sha256":"591ab6cb5c137b1fefb34181907f9b9eb7d798262aadf1d09ac5e936d469d110"},{"sha256":"5c14d60a97b056e00cb3055bd07605c2f16482794e5860fee68cab46f308893d","versions":["3.9.10"],"import_time":"2026-05-26T05:50:46.993714311Z","modified_time":"2026-05-20T11:24:49Z","id":"IN-MAL-2026-003520","source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/tango-app-api-trax/v/3.9.10"}],"affected":[{"package":{"name":"tango-app-api-trax","ecosystem":"npm","purl":"pkg:npm/tango-app-api-trax"},"versions":["3.9.10"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/tango-app-api-trax/MAL-2026-4682.json","cwes":[{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"}],"indicators":{"evidence_files":[{"sha256":"1665a44f88c2bedd03ba4123af91ec2ce38d87ea908b6bd3258f190e96f40ce1","tlsh":"9e41eab30a84a1e38a7081e21a0ae617b5555f2d1f19a8ee53f600b0dcc9be9111f742","path":"fir-51e77-firebase-adminsdk-x3sdp-fd902b74ae.json"}],"domains":["34.7.16.104.in-addr.arpa","github.com","release-assets.githubusercontent.com","storage.googleapis.com"],"package_integrity":[{"filename":"tango-app-api-trax-3.9.10.tgz","hashes":{"sha512_sri":"sha512-SZqZsjKxX/XdkW4UjhHMV3j9yLIiYGRp2moMmPbfl+k9/xBA+pwHvEIP/9qUh+TW2xHTCuIgj6QDf+14ygI18w==","sha1":"a98e4697332d4385a6222734a9cedb6db97cbd94"}}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}