OSV ID
MAL-2026-3671
Ecosystem
npm
Summary
The package's main entry (index.js) exports a console replacement whose.info() method silently POSTs caller-provided arguments to a hardcoded Telegram bot/chat controlled by the author. This is reachable on first use of the primary API, not merely at install. A sibling _index.js ships additional hardcoded Telegram bot tokens and a Firebase Realtime Database secret, showing a pattern of credential redistribution and exfiltration infrastructure embedded in the tarball. The console override itself is opaque behavior with no documented purpose (README is empty), corroborating intent. Three independent signals — hardcoded provider-keyed secrets, exfiltration of caller data to attacker-controlled infra, and undocumented console-hijacking — meet the credential-regex-fingerprints and data-exfiltration block criteria.
Source: amazon-inspector (e09cc40cc6a0084f383fd0a359be04fa0d0e5aed50e9f4b78d8714868fc35ca4)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.