VYPR

npm · Malicious package advisory

Malware

@aswinsparky/api

MAL-2026-4364

Malicious code in @aswinsparky/api (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (8cceefd98563e2885501c896472471f2bb20b77103ad99c253775570cae6b4fe)
index.js line 11 issues a fetch() to the hardcoded URL https://api.aswinsparky.qzz.io carrying values read from process.env. The destination is a freshly-registered qzz.io subdomain matching the author's npm scope (@aswinsparky), not a documented vendor or publisher infrastructure. There is no configuration option, no user-supplied URL, and no documented purpose that would explain shipping environment-variable contents to this host. Any consumer that imports or invokes this package leaks process environment values — typically containing API keys, tokens, and secrets — to the author-controlled endpoint.

Compromised versions (1)

  • 1.0.1

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.