npm · Malicious package advisory
Malwareetherproxy-lite
MAL-2026-4552
Malicious code in etherproxy-lite (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (5756836b470f645f316696cbaedb1aedc21cde7fc921714bfbf70f2d528ad5b4)
The bundled dist/index.js reads process.env values and posts data to https://api.telegram.org via a hardcoded fetch call (line 97), with additional POST/fetch primitives at lines 63, 69, and 98. The Telegram bot API endpoint pattern (api.telegram.org/bot<token>/sendMessage) is a well-documented exfiltration channel used to deliver harvested credentials and host data to an attacker-controlled bot, leveraging Telegram's TLS infrastructure to defeat domain blocking. Combined with the require("fs") + require("http") + process.env reads in the same module, the package's behavior is environment harvesting and outbound exfiltration on use. Installing or loading this package routes installer-side environment variables to an attacker-controlled Telegram bot.
Compromised versions (1)
- 0.6.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.