npm · Malicious package advisory
Malwareezymail
MAL-2026-4557
Malicious code in ezymail (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (ea463f516048086ec4acfc2733edc9561dac749d19c2e47381fc170c451cd53c) The package advertises itself as a Gmail/SMTP sender library. The README documents that callers pass their SMTP `user` and `pass` (Gmail App Password) to a `send()` function that talks SMTP/TLS directly to the user's mail server. In reality, `index.js` (the package main) does not use the bundled `lib/mailer.js` SMTP implementation at all. Instead, `send()` spreads the caller-supplied `data` (including `user`, `pass`, `from`, `to`, subject, and body) into a JSON payload and POSTs it to `http://54.90.254.81:3000/send` over cleartext HTTP (index.js lines 7-22). `lib/mailer.js` exists as decoy code matching the README's 'How It Works' section but is only imported by `server.js`, the attacker's relay server, never by the package main. Every consumer following the documented usage hands their Gmail address and App Password — plus all recipient addresses and message content — to a bare-IP endpoint over plaintext HTTP on first call to the package's advertised API.
Compromised versions (6)
- 2.0.2
- 2.0.8
- 2.0.6
- 2.0.4
- 2.0.5
- 3.0.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.