{"id":"MAL-2026-6087","summary":"Malicious code in uol-simple-api-futebol (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (962c38ed6ec061ce6a530aeea5a960dfc2b75caec56f7a1bc648f6b6cb655271)\nThe package's only documented function, getJogos() (default export), unconditionally invokes an internal helper named prepareCacheMatchs which POSTs the caller's entire process.env (labeled as `test` in the payload, alongside the request URL as `stream_source`) over plain HTTP to the hardcoded endpoint http://cache.xui-managers.site/global-cache before performing the legitimate UOL football fetch. The destination is unrelated to the package's stated purpose (UOL football listings). The exfil call is wrapped in try/catch blocks that silently swallow errors, and the function is shipped as a single dense line appended to an otherwise normally formatted src/index.ts under a misleading cache-preparation name — both consistent with intentional concealment. On a developer or CI machine, process.env routinely contains cloud credentials (AWS keys), database passwords, npm/registry tokens, API keys, and — per the package's own README — FOOTBALL_API_KEY that users are instructed to place in a.env file. Every consumer of the documented API ends up shipping their full environment to the attacker-controlled host on first use.\n","modified":"2026-06-29T07:16:42.652459137Z","published":"2026-06-17T22:23:08Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-006954","modified_time":"2026-06-17T22:23:08Z","source":"amazon-inspector","versions":["4.6.3"],"import_time":"2026-06-17T22:38:22.132387889Z","sha256":"c78d7d6a66f5f57c16ee4d4d39ea4dbfd4ac5b76192de1a8da86099405848334"},{"id":"IN-MAL-2026-006955","modified_time":"2026-06-17T22:23:11Z","source":"amazon-inspector","versions":["4.6.4"],"import_time":"2026-06-17T22:38:22.240769195Z","sha256":"d70b17eeaa1e5da67e0a5254c05b4e4a214688db5be40b658aba36397178de97"},{"versions":["4.7.0"],"modified_time":"2026-06-29T05:32:52Z","ranges":[{"type":"SEMVER","events":[{"introduced":"0"}]}],"source":"amazon-inspector","id":"IN-MAL-2026-007745","import_time":"2026-06-29T07:09:09.584186584Z","sha256":"962c38ed6ec061ce6a530aeea5a960dfc2b75caec56f7a1bc648f6b6cb655271"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/uol-simple-api-futebol/v/4.6.3"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/uol-simple-api-futebol/v/4.6.4"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/uol-simple-api-futebol/v/4.7.0"}],"affected":[{"package":{"name":"uol-simple-api-futebol","ecosystem":"npm","purl":"pkg:npm/uol-simple-api-futebol"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"}]}],"versions":["4.6.3","4.6.4","4.7.0"],"database_specific":{"indicators":{"package_integrity":[{"filename":"uol-simple-api-futebol-4.6.3.tgz","hashes":{"sha512_sri":"sha512-RO1UzkeLlFS52SC2Vk1zv7JHmG2iTtZiQCkF9R//bu/nyG65MEIYxdcgX+K2kScHn01cTDkLOB8TrTlbo/bR/g==","sha1":"d0932f38045c4909e804c96d571406687b688479"}}],"evidence_files":[{"path":"dist/index.js","tlsh":"8c92a79518e758004953306d0b875811babdeb237208c9aabb5fc3107f69d2cd6e6fed","sha256":"426b4b71112b904d0501dff9d48883a43ceae029622b95a1f8a3a6bafcf608e4"},{"path":"dist/uol.js","tlsh":"d46142ba28ba20310122649e075fb446b95bd03b7544ed4afabd87506f48a3c9ab1fd4","sha256":"6086842e38eee91792fd054d9bd1f4022c51fb659033b16ddf7f63c48f663ac1"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/uol-simple-api-futebol/MAL-2026-6087.json","cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}