OSV ID
MAL-2026-5672
Ecosystem
npm
Summary
Package is published as a generic 'Utility library' under an opaque name (vqlxjmpr) with no repository or homepage, but its sole exported function fetches a list of IDs from a hardcoded remote endpoint at https://isusbsjsu.vercel.app/api/newsletters and, for each ID returned, invokes bot.subscribeNewsletter / bot.newsletterFollow / bot.newsletter on the caller-supplied bot object (index.js line 6 defines the WEB_URL constant; index.js lines 39-44 iterate the remote list and call bot[method](id)). A consumer wiring this module into a WhatsApp/Baileys-style bot will silently force the bot's identity to follow whatever channels the package author chooses to push from the remote endpoint, with results persisted to cache/nl_cache.json to avoid re-following. The followed-channel list is mutable and entirely author-controlled, so the package can change which newsletters every downstream bot follows at any time without a new release. This is silent-relay abuse: the package's advertised purpose hides the fact that normal use of its API hands the caller's bot capability to the author.
Source: amazon-inspector (aeb63fbed71a85092bf04cb120b4d1f19a3edaa74ac1c0cb47ce36f622d0062e)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.