npm · Malicious package advisory
Malware@bcrumbs.net/bc-chat
MAL-2026-4367
Malicious code in @bcrumbs.net/bc-chat (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (d4bd9ccff2d027c9982ab41ff4b4417e62475e70aba04212794f267030f63ab0) The exported BCChat React component embeds a hardcoded Azure Blob SAS URL (https://bcuserres.blob.core.windows.net/anonymous) with a long-lived SAS token (valid through 2027-12-31) and uses it to upload every file an end-user attaches in the chat (images, recorded audio, documents). The destination is not configurable through props or runtime configuration, so any application embedding this widget will silently route its users' attachments to the package author's storage account. The same SAS token grants read access (sp=rc) on the 'anonymous' container, meaning anyone who extracts the token from the bundle can also list and read uploads from every other application using this library — a cross-installer data-exposure risk on top of the relay. There are no install-time lifecycle scripts; the harm fires at runtime when an end-user attaches a file in the rendered chat component.
Compromised versions (1)
- 1.0.87
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.