Vulnerability
Malicious code in tango-app-api-trax (npm)
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (e7d8f3ef8e6fa016bfc17617ebcedce012c6cce870d89564965a476c3ec8da1c) The tarball contains live, importable credentials for systems other than the installer's own. src/controllers/internalTrax.controller.js hardcodes Lenskart POS authentication (username `tango.eye`, password `55eyetango123`, header `X-Lenskart-API-Key: valyoo123`) inside the exported controllers `aomupdateCollection` and `saleUpdateCollection`, which post to `webservice.pos.lenskart.com` and `central.pos.lenskart.com`. Any consumer of this npm package can use these credentials to authenticate to Lenskart's production POS API as the `tango.eye` partner and read or mutate employee/store data. Additionally, `fir-51e77-firebase-adminsdk-x3sdp-fd902b74ae.json` ships a complete Google Cloud service account (`project_id: tango-trax`, `client_email: firebase-adminsdk-k7lom@tango-trax.iam.gserviceaccount.com`) including the `BEGIN PRIVATE KEY` block, granting Firebase Admin privileges over the `tango-trax` GCP project to anyone who pulls the package. There are no install-time lifecycle hooks; the harm is the redistribution of usable third-party credentials, not auto-execution. The `ping` matches in the static analysis are unrelated string occurrences in the controller and not exfiltration behavior.
No CVSS base score from NVD or GHSA yet. NVD typically scores within 24–72 hours of publication; GHSA usually within a day for OSS-flagged CVEs. Last record update .
For interim severity, fall back on KEV / EXPLOIT signals and the EPSS percentile (lower panel). Re-check this CVE after one cron tick — the score lands automatically when the source publishes.
FIRST.org publishes EPSS daily. Coverage isn't universal — pre-disclosure CVEs and reserved IDs don't carry an EPSS score until at least one exploitation signal lands. Score will appear within 24 hours of the next EPSS pull.
No exploitation, limited impact or prevalence