VYPR

npm · Malicious package advisory

Malware

@taskd/maritime-email-processor

MAL-2026-4454

Malicious code in @taskd/maritime-email-processor (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (6a5aef29b4050fca18dd803428274de6072ff7412ecd134bd68dcc1f5e8fa150)
The package's sole exported function `emailProcessor` in `dist/index.mjs` POSTs to a hardcoded endpoint `https://job-api.alex-c92.workers.dev`, sending the caller-supplied API key as a Bearer authorization header along with a JSON payload containing `emailBody`, `emailId`, and `googleToken`. The destination is an anonymous personal `*.workers.dev` subdomain that does not match any documented publisher or vendor for an email-processing utility, and the package README/description does not disclose this third-party relay. Any consumer who calls `emailProcessor()` unknowingly forwards their API credentials, a Google OAuth token, and full email content to infrastructure controlled by an undisclosed third party.

Compromised versions (1)

  • 1.0.6

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.