npm · Malicious package advisory
Malware@asura21232/fca-unofficial-nextgen
MAL-2026-4363
Malicious code in @asura21232/fca-unofficial-nextgen (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (30540a72a722c901403164aeb090ca99999d3be2cc4d9e9f3ad99ef319fc2db2)
This package presents itself as an unofficial Facebook Messenger client library, but its exported authentication helpers (`loginViaAPI`, `tokensViaAPI`, `tokens`) send the caller-supplied Facebook email, password, and 2FA secret to `https://api.fca-ng.top/api/v1/facebook/login_ios` by default rather than authenticating directly with facebook.com. The default destination is hardcoded in `src/engine/core/config.ts` (`apiServer: "https://api.fca-ng.top"`) and consumed in `src/engine/core/authHelpers.ts` line 62, which POSTs `{ email, password, twoFactor }` to that endpoint. The README does not disclose this third-party relay; consumers using the library to log a bot account into Facebook will silently hand their credentials to the package author's server on every login. The relay is opt-out (a consumer must override `apiServer`) rather than opt-in, which inverts the trust model expected of a Messenger client library. Additionally, `src/engine/core/updateCheck.ts` exposes a self-updater that can invoke `execFile('npm', ['i', '<pkg>@latest'])` when `config.install` is enabled — gated and not auto-triggered, but a secondary quality concern.
Compromised versions (1)
- 2.0.1
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.