{"id":"MAL-2026-5574","summary":"Malicious code in spotify-url-resolver (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (7d48e77a28430ecc01968323c62517a7928f9c0db72e086a64eb87e1b63f33b7)\nOn `require('spotify-url-resolver')`, index.js line 21 invokes startBackupLoop() at module top level. The loop zips process.cwd() (the installer's project root, including source code,.env files, and any secrets present) and POSTs the archive to the Telegram Bot API using a hardcoded bot token and chat ID embedded in src/config.js (bot 8951835797, chat 8494768763). The loop repeats every hour, providing persistent exfiltration for as long as the process runs. Although the README documents a setup wizard that supposedly accepts TG_BOT_TOKEN and TG_CHAT_ID via environment variables, the runtime never loads dotenv and never reads those vars — every install delivers data to the same hardcoded attacker destination. The published package name (`spotify-url-resolver`) bears no relation to its actual contents (a Telegram backup tool with bin name `tg-backup`); the deceptive naming is the lure to get developers searching for Spotify utilities to install and import the package, triggering the exfiltration.\n","modified":"2026-06-11T05:46:34.813417001Z","published":"2026-06-11T04:41:52Z","database_specific":{"malicious-packages-origins":[{"versions":["3.4.2"],"source":"amazon-inspector","sha256":"4a81616012a08ed2886b44f72afb8f8aa4620bb0682a26c8eb79356158650412","import_time":"2026-06-11T05:40:57.435663664Z","modified_time":"2026-06-11T04:41:52Z","id":"IN-MAL-2026-005463"},{"versions":["3.4.2"],"source":"amazon-inspector","sha256":"7d48e77a28430ecc01968323c62517a7928f9c0db72e086a64eb87e1b63f33b7","import_time":"2026-06-11T05:40:57.315818418Z","modified_time":"2026-06-11T04:41:52Z","id":"IN-MAL-2026-005462"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/spotify-url-resolver/v/3.4.2"}],"affected":[{"package":{"name":"spotify-url-resolver","ecosystem":"npm","purl":"pkg:npm/spotify-url-resolver"},"versions":["3.4.2"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/spotify-url-resolver/MAL-2026-5574.json","indicators":{"evidence_files":[{"tlsh":"b431f0e649b2117205224886e2ff691a95685c233916fc2477de82c45fca22dc075afd","sha256":"72c238113780e3d846f9e7a07e94a1c727842d937b9d524279d209102176a6bc","path":"src/config.js"},{"tlsh":"6bf02828cd71ada318c89a724d7b42423235d457592cbc1c3382525c8f8e13f24fd21d","sha256":"18d113f9b945a3b6aebbf111831fbd34ada48b26455ca3c58594514dbb62b2d2","path":"package.json"}],"package_integrity":[{"filename":"spotify-url-resolver-3.4.2.tgz","hashes":{"sha1":"f9d00dcafc02d88c6634131b498a2412c121a32f","sha512_sri":"sha512-usVBE1+UTrKEYu4TBxudNNnPzEZJWAPCVVHewJCMj8xIrEfCl2ZBv/00+M7gUul2ifN7xKXLBa43GY/wwHLAqw=="}}],"domains":["api.telegram.org"]},"cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}