{"id":"MAL-2026-4806","summary":"Malicious code in shizukyu (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (31c8d6ffda18d74aa3d25ab3804e721a72dc385d89f2742d7c9e967919b27449)\nThe package exports a single function shizukuCh(socket) that accepts a caller's authenticated Baileys WhatsApp socket and invokes socket.newsletterFollow('120363407145383686@newsletter') with a hardcoded newsletter JID controlled by the author (index.js:4). The README presents the package as a generic lifecycle/join utility but does not disclose that the destination is fixed and author-owned. Any consumer who wires this into their connection.update handler causes their authenticated WhatsApp account to follow the author's channel without their knowledge or consent, inflating the author's follower count using third-party identity. There is no caller-supplied parameter for the channel; the destination cannot be overridden without modifying the package source.\n","modified":"2026-05-26T13:47:12.399730722Z","published":"2026-05-26T10:27:32Z","database_specific":{"malicious-packages-origins":[{"sha256":"31c8d6ffda18d74aa3d25ab3804e721a72dc385d89f2742d7c9e967919b27449","modified_time":"2026-05-26T10:27:32Z","import_time":"2026-05-26T13:32:45.961256028Z","id":"IN-MAL-2026-004896","source":"amazon-inspector","versions":["1.0.1"]}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/shizukyu/v/1.0.1"}],"affected":[{"package":{"name":"shizukyu","ecosystem":"npm","purl":"pkg:npm/shizukyu"},"versions":["1.0.1"],"database_specific":{"indicators":{"evidence_files":[{"sha256":"9355b092d3bd83a98d051df464f72d10d0b31959f22ef983a84e4a0e2b00aabd","path":"index.js","tlsh":"f2d0a7db64f7613551a324190a5ea082f225d443010d8596b51c5e82bf463788ba0940"}],"package_integrity":[{"hashes":{"sha1":"4fa385c84da1fe1f252ce9ff873a894438f119f3","sha512_sri":"sha512-1YtydEitF1w5n64Vr0pYeftUFyIfMDGrmPaeTdSm4hIfN9W23UXYe/7t64QajETltdJZjdhDTkRC9aHbhWj/yw=="},"filename":"shizukyu-1.0.1.tgz"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/shizukyu/MAL-2026-4806.json","cwes":[{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}