VYPR

npm · Malicious package advisory

Malware

@pmate/utils

MAL-2026-4419

Malicious code in @pmate/utils (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (d918da5fdc17486ed55296e53c1de2f1d976895f77e33dc7f73991e36f393502)
The exported `detectText(imageBase64)` function in src/detectText.ts sends caller-supplied image content to https://vision.googleapis.com/v1/images:annotate using a hardcoded Google Cloud API key (`AIzaSyB60IT_Mte2tZisNiBujfS_q9MPOnw6tgk`) belonging to the package author. Any consumer who calls the advertised text-detection utility unknowingly routes their image data through the author's Google Cloud project, where requests are quota-tracked and may be logged on the author's side. Callers cannot configure or disable this destination — it is hardcoded in the function body. The hardcoded key is also distributed in plaintext to every installer, allowing anyone to drain the author's Vision API quota.

Compromised versions (1)

  • 1.1.4

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.