npm · Malicious package advisory
Malware@aswinsparky/api
MAL-2026-4364
Malicious code in @aswinsparky/api (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (8cceefd98563e2885501c896472471f2bb20b77103ad99c253775570cae6b4fe) index.js line 11 issues a fetch() to the hardcoded URL https://api.aswinsparky.qzz.io carrying values read from process.env. The destination is a freshly-registered qzz.io subdomain matching the author's npm scope (@aswinsparky), not a documented vendor or publisher infrastructure. There is no configuration option, no user-supplied URL, and no documented purpose that would explain shipping environment-variable contents to this host. Any consumer that imports or invokes this package leaks process environment values — typically containing API keys, tokens, and secrets — to the author-controlled endpoint.
Compromised versions (1)
- 1.0.1
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.