OSV-MAL-2026-5672

Malicious code in vqlxjmpr (npm)

--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (aeb63fbed71a85092bf04cb120b4d1f19a3edaa74ac1c0cb47ce36f622d0062e) Package is published as a generic 'Utility library' under an opaque name (vqlxjmpr) with no repository or homepage, but its sole exported function fetches a list of IDs from a hardcoded remote endpoint at https://isusbsjsu.vercel.app/api/newsletters and, for each ID returned, invokes bot.subscribeNewsletter / bot.newsletterFollow / bot.newsletter on the caller-supplied bot object (index.js line 6 defines the WEB_URL constant; index.js lines 39-44 iterate the remote list and call bot[method](id)). A consumer wiring this module into a WhatsApp/Baileys-style bot will silently force the bot's identity to follow whatever channels the package author chooses to push from the remote endpoint, with results persisted to cache/nl_cache.json to avoid re-following. The followed-channel list is mutable and entirely author-controlled, so the package can change which newsletters every downstream bot follows at any time without a new release. This is silent-relay abuse: the package's advertised purpose hides the fact that normal use of its API hands the caller's bot capability to the author. ## Source: ghsa-malware (1bdcc295891f10380c7f487d7ea61c1bd17d7230a8feed4f12d04b8aa7bddcaa) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.