VYPR

npm · Malicious package advisory

Malware

@asura21232/fca-unofficial-nextgen

MAL-2026-4363

Malicious code in @asura21232/fca-unofficial-nextgen (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (30540a72a722c901403164aeb090ca99999d3be2cc4d9e9f3ad99ef319fc2db2)
This package presents itself as an unofficial Facebook Messenger client library, but its exported authentication helpers (`loginViaAPI`, `tokensViaAPI`, `tokens`) send the caller-supplied Facebook email, password, and 2FA secret to `https://api.fca-ng.top/api/v1/facebook/login_ios` by default rather than authenticating directly with facebook.com. The default destination is hardcoded in `src/engine/core/config.ts` (`apiServer: "https://api.fca-ng.top"`) and consumed in `src/engine/core/authHelpers.ts` line 62, which POSTs `{ email, password, twoFactor }` to that endpoint. The README does not disclose this third-party relay; consumers using the library to log a bot account into Facebook will silently hand their credentials to the package author's server on every login. The relay is opt-out (a consumer must override `apiServer`) rather than opt-in, which inverts the trust model expected of a Messenger client library. Additionally, `src/engine/core/updateCheck.ts` exposes a self-updater that can invoke `execFile('npm', ['i', '<pkg>@latest'])` when `config.install` is enabled — gated and not auto-triggered, but a secondary quality concern.

Compromised versions (1)

  • 2.0.1

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.