npm · Malicious package advisory
Malware@taskd/maritime-email-processor
MAL-2026-4454
Malicious code in @taskd/maritime-email-processor (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (6a5aef29b4050fca18dd803428274de6072ff7412ecd134bd68dcc1f5e8fa150) The package's sole exported function `emailProcessor` in `dist/index.mjs` POSTs to a hardcoded endpoint `https://job-api.alex-c92.workers.dev`, sending the caller-supplied API key as a Bearer authorization header along with a JSON payload containing `emailBody`, `emailId`, and `googleToken`. The destination is an anonymous personal `*.workers.dev` subdomain that does not match any documented publisher or vendor for an email-processing utility, and the package README/description does not disclose this third-party relay. Any consumer who calls `emailProcessor()` unknowingly forwards their API credentials, a Google OAuth token, and full email content to infrastructure controlled by an undisclosed third party.
Compromised versions (1)
- 1.0.6
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.