@pmate/utils @1.1.4
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC
OSV ID
MAL-2026-4419
Ecosystem
npm
Summary
The exported detectText(imageBase64) function in src/detectText.ts sends caller-supplied image content to https://vision.googleapis.com/v1/images:annotate using a hardcoded Google Cloud API key ( AIzaSyB60IT_Mte2tZisNiBujfS_q9MPOnw6tgk ) belonging to the package author. Any consumer who calls the advertised text-detection utility unknowingly routes their image data through the author's Google Cloud project, where requests are quota-tracked and may be logged on the author's side. Callers cannot configure or disable this destination — it is hardcoded in the function body. The hardcoded key is also distributed in plaintext to every installer, allowing anyone to drain the author's Vision API quota.
Source: amazon-inspector (d918da5fdc17486ed55296e53c1de2f1d976895f77e33dc7f73991e36f393502)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.