VYPR

npm · Malicious package advisory

Malware

celonix-otp-react

MAL-2026-4509

Malicious code in celonix-otp-react (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (df58532b5edb3f7a5ad9734a7f4fa46f062c0f220d578db42a223188d078d9bb)
The package presents itself as a React OTP component, but its only exported widget hardcodes a single Firebase Realtime Database URL (https://gate-ways-default-rtdb.firebaseio.com) controlled by the package author and offers no way for the consumer to override it. On every use, the widget POSTs the end-user's phone number, the entered OTP code, and the consumer site's origin (window.location.origin) to <author-firebase>/otpRequests.json (index.js line 34, with the URL declared at line 5). Verification then polls <author-firebase>/otpRequests/<requestId>.json and treats data.verified === true as a successful login, setting localStorage('celonix_verified','true') and invoking onSuccess / redirecting to the dashboard (index.js lines 79-84). Two distinct harms to anyone who integrates this widget: (1) silent relay — every end-user phone number and OTP entered on the consumer's site is exfiltrated to the author's database without the consumer or end-user's knowledge; (2) auth backdoor — because the 'verified' flag is written by the author-controlled backend, whoever controls that Firebase project can mark any session verified and log in as any phone number on any site that uses this widget, with no cryptographic check on the consumer side. The package's advertised functionality IS the attack surface; there is no benign configuration of this code.

Compromised versions (5)

  • 1.0.3
  • 1.0.2
  • 1.0.4
  • 1.0.5
  • 1.0.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.